Share
## https://sploitus.com/exploit?id=PACKETSTORM:177708
# Exploit Title: Lektor static content management system Version: 3.3.10 Arbitrary File upload  
# Date: 20/03/2024  
# Exploit Author: kai6u  
# Vendor Homepage: https://www.getlektor.com/  
# Software Link: https://github.com/lektor/lektor/releases/tag/v3.3.10  
# Version: 3.3.10  
# Tested on: Ubuntu 22.04  
# Summary:  
Arbitrary File upload in Lektor exist, It is possible to upload file to any directory on the server.  
Affected Version:  
< Version Release v3.3.10 (https://github.com/lektor/lektor/releases/tag/v3.3.10)  
Fixed Version:  
Latest Version Release v3.3.11 (https://github.com/lektor/lektor/releases/tag/v3.3.11)  
# Steps:  
3.Steps  
The following are the steps of an attack that an attacker might perform.  
1.Arbitrary File Upload and Store the payload  
Access the administrator console and use the Add Page function to create a file  
containing the payload to the templates directory and prepare to execute the  
command.  
2.Execute Command  
Next, execute arbitrary commands on the administrator console by referencing the  
file containing the malicious payload as templates  
  
# Description:  
1 ) Access to the administrator console via NW first creates a contetns.lr file containing the payload using Lektor's Add Page feature, specifying the templates directory.(Attacker also can upload to any directory.)  
  
Payload:  
  
{{ ''.__class__.__mro__[1].__subclasses__()[276]('whoami',shell=True,stdout=-1).communicate()[0].strip()}} }}  
  
2 ) Create a new page by specifying the created contents.lr as template.  
  
3 ) Use the preview function to check the sample page with the specified templates.  
  
# Impact  
Since attackers can execute arbitrary commands on the target environment, they can.  
1.Steal sensitive files on the server.  
2.Browse like /etc/passwd file and configure it to allow SSH connections as an OS user.  
3.Use the server as a stepping stone for another attack and perform malicious actions.  
4.Encrypt all content in the server and demand money.  
5.Shut down the server and disrupt the target.  
This is very dangerous because commands can be executed if the administrator's consolecan be accessed via the NW  
  
# References  
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti  
https://github.com/lektor/lektor/releases/tag/v3.3.11