Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Lektor Static CMS 3.3.10 Arbitrary File Upload / Remote Code Execution

🗓️ 20 Mar 2024 00:00:00Reported by kai6uType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 274 Views

Lektor CMS 3.3.10 Arbitrary File Uploa

Code
`# Exploit Title: Lektor static content management system Version: 3.3.10 Arbitrary File upload  
# Date: 20/03/2024  
# Exploit Author: kai6u  
# Vendor Homepage: https://www.getlektor.com/  
# Software Link: https://github.com/lektor/lektor/releases/tag/v3.3.10  
# Version: 3.3.10  
# Tested on: Ubuntu 22.04  
# Summary:  
Arbitrary File upload in Lektor exist, It is possible to upload file to any directory on the server.  
Affected Version:  
< Version Release v3.3.10 (https://github.com/lektor/lektor/releases/tag/v3.3.10)  
Fixed Version:  
Latest Version Release v3.3.11 (https://github.com/lektor/lektor/releases/tag/v3.3.11)  
# Steps:  
3.Steps  
The following are the steps of an attack that an attacker might perform.  
1.Arbitrary File Upload and Store the payload  
Access the administrator console and use the Add Page function to create a file  
containing the payload to the templates directory and prepare to execute the  
command.  
2.Execute Command  
Next, execute arbitrary commands on the administrator console by referencing the  
file containing the malicious payload as templates  
  
# Description:  
1 ) Access to the administrator console via NW first creates a contetns.lr file containing the payload using Lektor's Add Page feature, specifying the templates directory.(Attacker also can upload to any directory.)  
  
Payload:  
  
{{ ''.__class__.__mro__[1].__subclasses__()[276]('whoami',shell=True,stdout=-1).communicate()[0].strip()}} }}  
  
2 ) Create a new page by specifying the created contents.lr as template.  
  
3 ) Use the preview function to check the sample page with the specified templates.  
  
# Impact  
Since attackers can execute arbitrary commands on the target environment, they can.  
1.Steal sensitive files on the server.  
2.Browse like /etc/passwd file and configure it to allow SSH connections as an OS user.  
3.Use the server as a stepping stone for another attack and perform malicious actions.  
4.Encrypt all content in the server and demand money.  
5.Shut down the server and disrupt the target.  
This is very dangerous because commands can be executed if the administrator's consolecan be accessed via the NW  
  
# References  
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti  
https://github.com/lektor/lektor/releases/tag/v3.3.11  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Mar 2024 00:00Current
7.4High risk
Vulners AI Score7.4
lektor cmsarbitrary file uploadremote code executionsecurity exploitserver vulnerabilitycommand executiondata theftmalicious actions
274