Description: Server Side Template Injection (SSTI) vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to use native template syntax to inject a malicious payload into a template, which is then executed server-side.
Attack Vectors: A SSTI vulnerability in the sanitization of the entry in the Content of "Content - Content Manager Menu" allows injecting a malicious payload into a template code that will be executed when the user accesses the web page.
When logging into the panel, we will go to the "Content Manager- Title" section off Content Menu.
We edit that Content field with a template malicious payload.
{{4*4}}In the following image you can see the embedded code that executes the payload in the main web.
We identify the technology used with the following payload.
a{*comment*}b
And the result is the following:
Since the payload has worked we know that it uses Smarty, then we obtain the Smarty version with the following payload:
{$smarty.version}
And in the result we can see the version of Smarty using the SSTI:
We can also use the following payload to see the server name variable:
{$smarty.server.SERVER_NAME}
Below is the result of the SSTI payload with the server name:
