Headline
Lektor Static CMS 3.3.10 Arbitrary File Upload / Remote Code Execution
Lektor Static CMS version 3.3.10 suffers from an arbitrary file upload vulnerability that can be leveraged to achieve remote code execution.
# Exploit Title: Lektor static content management system Version: 3.3.10 Arbitrary File upload# Date: 20/03/2024# Exploit Author: kai6u# Vendor Homepage: https://www.getlektor.com/# Software Link: https://github.com/lektor/lektor/releases/tag/v3.3.10# Version: 3.3.10# Tested on: Ubuntu 22.04# Summary:Arbitrary File upload in Lektor exist, It is possible to upload file to any directory on the server. Affected Version: < Version Release v3.3.10 (https://github.com/lektor/lektor/releases/tag/v3.3.10) Fixed Version: Latest Version Release v3.3.11 (https://github.com/lektor/lektor/releases/tag/v3.3.11)# Steps:3.StepsThe following are the steps of an attack that an attacker might perform. 1.Arbitrary File Upload and Store the payload Access the administrator console and use the Add Page function to create a filecontaining the payload to the templates directory and prepare to execute thecommand. 2.Execute Command Next, execute arbitrary commands on the administrator console by referencing thefile containing the malicious payload as templates# Description:1 ) Access to the administrator console via NW first creates a contetns.lr file containing the payload using Lektor's Add Page feature, specifying the templates directory.(Attacker also can upload to any directory.)Payload:{{ ''.__class__.__mro__[1].__subclasses__()[276]('whoami',shell=True,stdout=-1).communicate()[0].strip()}} }}2 ) Create a new page by specifying the created contents.lr as template.3 ) Use the preview function to check the sample page with the specified templates.# ImpactSince attackers can execute arbitrary commands on the target environment, they can. 1.Steal sensitive files on the server. 2.Browse like /etc/passwd file and configure it to allow SSH connections as an OS user. 3.Use the server as a stepping stone for another attack and perform malicious actions. 4.Encrypt all content in the server and demand money. 5.Shut down the server and disrupt the target.This is very dangerous because commands can be executed if the administrator's consolecan be accessed via the NW# Referenceshttps://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-sstihttps://github.com/lektor/lektor/releases/tag/v3.3.11