CVE-2023-43352: GitHub - sromanhu/CVE-2023-43352-CMSmadesimple-SSTI--Content: SSTI vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to use native template syntax to inject a malicious payload into a te

CMSmadesimple SSTI v2.2.18****Author: (Sergio)

Description: Server Side Template Injection (SSTI) vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to use native template syntax to inject a malicious payload into a template, which is then executed server-side.

Attack Vectors: A SSTI vulnerability in the sanitization of the entry in the Content of “Content - Content Manager Menu” allows injecting a malicious payload into a template code that will be executed when the user accesses the web page.

POC:

When logging into the panel, we will go to the “Content Manager- Title” section off Content Menu.

We edit that Content field with a template malicious payload.SSTI Payload:
In the following image you can see the embedded code that executes the payload in the main web.

We identify the technology used with the following payload.SSTI Payload:

And the result is the following:

Since the payload has worked we know that it uses Smarty, then we obtain the Smarty version with the following payload:SSTI Payload:

And in the result we can see the version of Smarty using the SSTI:

We can also use the following payload to see the server name variable:SSTI Payload:

{$smarty.server.SERVER_NAME}

Below is the result of the SSTI payload with the server name:

Additional Information:

http://www.cmsmadesimple.org/

https://owasp.org/Top10/es/A03_2021-Injection/