## https://sploitus.com/exploit?id=6673E95E-887B-5B32-A094-2417DC93AAE1
# CVE-2023-4002 Ghost-Arbitrary-File-Read (< 5.59.1)
A vulnerability in Ghost CMS (CVE-2023-40028) that allows an authenticated attacker to read arbitrary files from the server. By leveraging the symlink functionality within a ZIP file, the exploit bypasses restrictions in Ghost CMS's import mechanism to access sensitive files on the system.
# Requirements
[!] Valid credentials required
Python 3.7+
Dependencies: requests, argparse, and standard Python libraries.
# Usage
`python3 exploit.py --user admin@ghost.local --password Strongpassword123! --url http://example.com`
--user <username>: The username/email for the target Ghost CMS.
--password <password>: The password for the target Ghost CMS.
--url <host_url>: The URL of the target Ghost CMS (e.g., http://website.com).
1) Login: The script authenticates with the Ghost CMS admin API and retrieves a session cookie.
2) Interactive Shell: Once logged in, the script prompts for a file path to read form the server.
# Shell Example:
![image](https://github.com/user-attachments/assets/4023e8e8-4aae-49d6-aa5a-12c75f3adcfa)
# References
[CVE-2023-40028 ~1](https://nvd.nist.gov/vuln/detail/CVE-2023-40028).
[CVE-2023-40028 ~2](https://www.recordedfuture.com/vulnerability-database/CVE-2023-40028).
Disclaimer
This script is for educational purposes.