CraftCMS allows users to upload files via its Asset field. But the storage feature known as volume within Craft CMS can be configured to point to any directory. This ability can be exploited to upload a twig template to the templates directory. By pointing a route to the uploaded malicious twig template, we get a successful Server Side Template Injection. Using filters, we can get out of the twig sandbox and get an Arbitrary Code Execution.
Our Blog
Dynamic importing stuff in Python
In my artificial intelligence project’s prototype Okai, I did some dynamic importing which surprisingly was unknown to many. I think you might be interested in knowing about it as well. Before I explain dynamic importing, lemme explain traditional import too for the sake of readers of all levels. To follow along, you must be at […]
From Burnout to RCE: Getting out of the rat race
The write up starts from explaining the burnout from bug bounties to greybox testing to a thorough explanation and coordinated disclosure of CVE-2021-27902 and CVE-2021-27903 that can be chained together to gain Remote Code Execution in CraftCMS. The articles is divided into sections. You can skip and read what you feel like or just read […]
You don’t need xss.rocks/xss.js
Many newcomers as well as professionals focusing on XSS seems to miss out one simple yet powerful thing: data URLs. While finding an XSS, hackers test the vulnerability with some hosted solution like xss.rocks or host their own files. But most of the time, you don’t need a hosted javascript file. You can simply use […]
Bypassing WAF in Misconfigured WordPress
Web Application Firewalls like CloudFlare are pretty good at protecting websites by tunnelling the traffic through their secure servers. But if the underlying IP address is leaked, such protection is usually bypassed and the attacker can directly target the application. IP Disclosure in WordPress WordPress stores the site url and home url in the database […]
Open Redirect in Flattr
This bug in Flattr was a low impact Open Redirect that allowed attacker to redirect the victim after authorizing Twitter. PoC Timeline Found vulnerability – 5th June, 2020 Made contact with Flattr – 5th June, 2020 Reported vulnerability – 9th June, 2020 Bug fixed – 11th June, 2020 Reference https://cwe.mitre.org/data/definitions/601.html