Lektor 3.3.10 Arbitrary File upload

2024.03.20
jp kai6u (JP) jp
Risk: High
Local: No
Remote: Yes
CWE: CWE-434

# Exploit Title: Lektor static content management system Version: 3.3.10 Arbitrary File upload # Date: 20/03/2024 # Exploit Author: kai6u # Vendor Homepage: https://www.getlektor.com/ # Software Link: https://github.com/lektor/lektor/releases/tag/v3.3.10 # Version: 3.3.10 # Tested on: Ubuntu 22.04 1 ) Access to the administrator console via NW first creates a contetns.lr file containing the payload using Lektor's Add Page feature, specifying the templates directory.(Attacker also can upload to any directory.) Payload: {{ ''.__class__.__mro__[1].__subclasses__()[276]('whoami',shell=True,stdout=-1).communicate()[0].strip()}} }} 2 ) Create a new page by specifying the created contents.lr as template. 3 ) Use the preview function to check the sample page with the specified templates.


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top