SSTI vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to use native template syntax to inject a malicious payload into a template, which is then executed server-side# CMSmadesimple SSTI v2.2.18
## Author: (Sergio)
**Description:** Server Side Template Injection (SSTI) vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to use native template syntax to inject a malicious payload into a template, which is then executed server-side.
**Attack Vectors:** A SSTI vulnerability in the sanitization of the entry in the Content of "Content - Content Manager Menu" allows injecting a malicious payload into a template code that will be executed when the user accesses the web page.
---
### POC:
When logging into the panel, we will go to the "Content Manager- Title" section off Content Menu.
<br>
We edit that Content field with a template malicious payload.
### SSTI Payload:
```js
{{4*4}}
```
<br>
In the following image you can see the embedded code that executes the payload in the main web.
<br>
We identify the technology used with the following payload.
### SSTI Payload:
```js
a{*comment*}b
```
<br>
And the result is the following:
<br>
Since the payload has worked we know that it uses Smarty, then we obtain the Smarty version with the following payload:
### SSTI Payload:
```js
{$smarty.version}
```
And in the result we can see the version of Smarty using the SSTI:
<br>
We can also use the following payload to see the server name variable:
### SSTI Payload:
```js
{$smarty.server.SERVER_NAME}
```
</br>
<br>
Below is the result of the SSTI payload with the server name:
<br>
</br>
</br>
### Additional Information:
http://www.cmsmadesimple.org/
https://owasp.org/Top10/es/A03_2021-Injection/
[4.0K] /data/pocs/7c9cdf2a63158064e4d7266cc790a9f9a9ad169b
└── [2.6K] README.md
0 directories, 1 file