# Exploit Title: Lektor static content management system Version: 3.3.10 Arbitrary File upload
# Date: 20/03/2024
# Exploit Author: kai6u
# Vendor Homepage: https://www.getlektor.com/
# Software Link: https://github.com/lektor/lektor/releases/tag/v3.3.10
# Version: 3.3.10
# Tested on: Ubuntu 22.04
# Summary:
Arbitrary File upload in Lektor exist, It is possible to upload file to any directory on the server.
 Affected Version:
 < Version Release v3.3.10 (https://github.com/lektor/lektor/releases/tag/v3.3.10)
 Fixed Version:
 Latest Version Release v3.3.11 (https://github.com/lektor/lektor/releases/tag/v3.3.11)
# Steps:
3.Steps
The following are the steps of an attack that an attacker might perform.
 1.Arbitrary File Upload and Store the payload
 Access the administrator console and use the Add Page function to create a file
containing the payload to the templates directory and prepare to execute the
command.
 2.Execute Command
 Next, execute arbitrary commands on the administrator console by referencing the
file containing the malicious payload as templates

# Description:
1 ) Access to the administrator console via NW first creates a contetns.lr file containing the payload using Lektor's Add Page feature, specifying the templates directory.(Attacker also can upload to any directory.)

Payload:

{{ ''.__class__.__mro__[1].__subclasses__()[276]('whoami',shell=True,stdout=-1).communicate()[0].strip()}} }}

2 ) Create a new page by specifying the created contents.lr as template.

3 ) Use the preview function to check the sample page with the specified templates.

# Impact
Since attackers can execute arbitrary commands on the target environment, they can.
 1.Steal sensitive files on the server.
 2.Browse like /etc/passwd file and configure it to allow SSH connections as an OS user.
 3.Use the server as a stepping stone for another attack and perform malicious actions.
 4.Encrypt all content in the server and demand money.
 5.Shut down the server and disrupt the target.
This is very dangerous because commands can be executed if the administrator's consolecan be accessed via the NW

# References
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti
https://github.com/lektor/lektor/releases/tag/v3.3.11