Home Tools Exploits & CVE's Lektor Static CMS 3.3.10 Arbitrary File Upload / Remote Code Execution

Lektor Static CMS 3.3.10 Arbitrary File Upload / Remote Code Execution

March 26, 2024

Authored by kai6u

Lektor Static CMS version 3.3.10 suffers from an arbitrary file upload vulnerability that can be leveraged to achieve remote code execution.

Change Mirror Download

# Exploit Title: Lektor static content management system Version: 3.3.10 Arbitrary File upload
# Date: 20/03/2024
# Exploit Author: kai6u
# Vendor Homepage: https://www.getlektor.com/
# Software Link: https://github.com/lektor/lektor/releases/tag/v3.3.10
# Version: 3.3.10
# Tested on: Ubuntu 22.04
# Summary:
Arbitrary File upload in Lektor exist, It is possible to upload file to any directory on the server.
 Affected Version:
 < Version Release v3.3.10 (https://github.com/lektor/lektor/releases/tag/v3.3.10)
 Fixed Version:
 Latest Version Release v3.3.11 (https://github.com/lektor/lektor/releases/tag/v3.3.11)
# Steps:
3.Steps
The following are the steps of an attack that an attacker might perform.
 1.Arbitrary File Upload and Store the payload
 Access the administrator console and use the Add Page function to create a file
containing the payload to the templates directory and prepare to execute the
command.
 2.Execute Command
 Next, execute arbitrary commands on the administrator console by referencing the
file containing the malicious payload as templates

# Description:
1 ) Access to the administrator console via NW first creates a contetns.lr file containing the payload using Lektor's Add Page feature, specifying the templates directory.(Attacker also can upload to any directory.)

Payload:

{{ ''.__class__.__mro__[1].__subclasses__()[276]('whoami',shell=True,stdout=-1).communicate()[0].strip()}} }}

2 ) Create a new page by specifying the created contents.lr as template.

3 ) Use the preview function to check the sample page with the specified templates.

# Impact
Since attackers can execute arbitrary commands on the target environment, they can.
 1.Steal sensitive files on the server.
 2.Browse like /etc/passwd file and configure it to allow SSH connections as an OS user.
 3.Use the server as a stepping stone for another attack and perform malicious actions.
 4.Encrypt all content in the server and demand money.
 5.Shut down the server and disrupt the target.
This is very dangerous because commands can be executed if the administrator's consolecan be accessed via the NW

# References
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti
https://github.com/lektor/lektor/releases/tag/v3.3.11

Lektor Static CMS 3.3.10 Arbitrary File Upload / Remote Code Execution

Follow us on Instagram @thecyberpost

EDITOR PICKS

FBI: Fraudsters using fake online dating verification apps to scam lovers

Know-your-customer executive order facing stiff opposition from cloud industry

Congress picked a direct fight with ByteDance and TikTok. The privacy...

POPULAR POSTS

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

Domhttpx – A Google Search Engine Dorker With HTTP Toolkit Built...

POPULAR CATEGORY

School Faculty Scheduling System 1.0 SQL Injection

PFSense 2.5.0 Cross Site Scripting

NIMax 5.3.1f0 Denial Of Service