[CVE-2023-30179] Server-Side Template Injection
Exploit Author: datnlq aka a member from Information Security Lab at VNUHCM-University of Information Technology
Vendor of Product: CraftCMS
Affected Product Code Base: 3.7.59
CVE: CVE-2023-30179
Description: CraftCMS 3.7.59 is vulnerable Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location. Upload new avatar, lead to Remote Code Execution.
Steps to reproduce:
Step 1: Go to User Settings -> Settings -> Inject SSTI Payload to User Photo Location field
Step 2: Upload new Avatar (My Account -> Photo)
Step 3: Go to Assets to view result of SSTI Payload
Exploit SSTI to RCE:
In the admin page, the User Settings -> Settings function we can inject into the User Photo Location param using Twig template to Title Format.
Payload:
After that, we upload new avatar to trigger SSTI template. Access shell.php to RCE.
Last updated