This repository contains a proof of concept (PoC) exploit for CVE-2023-22894, which allows unauthenticated users to leak sensitive information and hijack Strapi administrator accounts by exploiting Strapi's filtering functionality on private fields.
This exploit targets Strapi versions <=4.7.1 and demonstrates how an unauthenticated user can leak sensitive information, such as password hashes and reset tokens, by exploiting Strapi's filtering functionality on private fields in API requests. By chaining this exploit with CVE-2023-22621, it's possible to achieve unauthenticated remote code execution on affected Strapi instances.
To run this PoC exploit, you will need the following:
- Python 3.x
- Requests library for Python (
pip install requests)
- Clone the repository and navigate to the directory:
git clone https://github.com/Saboor-Hakimi/CVE-2023-22894
cd CVE-2023-22894- Run the
dump-authless.pyexploit script with the following arguments:
python3 dump-authless.py -u <target_url> -e <endpoint> [-d <dump>]- The following arguments are required for running the
dump-authless.pyscript:
-uor--url: The target URL of the vulnerable Strapi instance.-eor--endpoint: The public endpoint on Strapi which has a relationship with the User.
Additionally, you can use the optional -d or --dump argument to dump the password reset token:
-d true: Dump the password reset token.
Example:
python3 dump-authless.py -u http://example.com -e /api/articles -d true- If the exploit is successful, the script will output the leaked sensitive information and password reset token for the targeted Strapi administrator account.
This PoC exploit is for educational and research purposes only. Unauthorized access to computer systems is illegal and punishable by law. The author of this repository is not responsible for any misuse or damage caused by the provided code.
Special thanks to the original finder of this vulnerability and the creator of the authenticated exploit for their research and contributions to the security community.