POC详情: 61e71f2fde924f91c5dc328b14dda257abfb7338

来源
https://github.com/monke443/CVE-2023-40028-Ghost-Arbitrary-File-Read
关联漏洞
标题: Ghost Foundation Ghost 后置链接漏洞 (CVE-2023-40028)
描述:Ghost Foundation Ghost是Ghost开源的一款用 JavaScript 编写的个人博客系统。 Ghost 5.59.1 版本之前存在后置链接漏洞,该漏洞源于允许经过身份验证的用户上传符号链接文件。攻击者利用该漏洞可以读取任意文件。
描述
Arbitrary file read in Ghost-CMS allows an attacker to upload a malicious ZIP file with a symlink.
介绍
# CVE-2023-4002 Ghost-Arbitrary-File-Read (< 5.59.1)

A vulnerability in Ghost CMS (CVE-2023-40028) that allows an authenticated attacker to read arbitrary files from the server. By leveraging the symlink functionality within a ZIP file, the exploit bypasses restrictions in Ghost CMS's import mechanism to access sensitive files on the system.

# Requirements

    [!] Valid credentials required
    Python 3.7+
    Dependencies: requests, argparse, and standard Python libraries.


# Usage

`python3 exploit.py --user admin@ghost.local --password Strongpassword123! --url http://example.com`

    --user <username>: The username/email for the target Ghost CMS.
    --password <password>: The password for the target Ghost CMS.
    --url <host_url>: The URL of the target Ghost CMS (e.g., http://website.com).


  1) Login: The script authenticates with the Ghost CMS admin API and retrieves a session cookie.
  2) Interactive Shell: Once logged in, the script prompts for a file path to read form the server.

# Shell Example:

![image](https://github.com/user-attachments/assets/4023e8e8-4aae-49d6-aa5a-12c75f3adcfa)

# References
[CVE-2023-40028 ~1](https://nvd.nist.gov/vuln/detail/CVE-2023-40028).

[CVE-2023-40028 ~2](https://www.recordedfuture.com/vulnerability-database/CVE-2023-40028).

Disclaimer
This script is for educational purposes.
文件快照

 [4.0K]  /data/pocs/61e71f2fde924f91c5dc328b14dda257abfb7338
├── [3.7K]  exploit.py
└── [1.3K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。