来源

关联漏洞

描述

This script demonstrates a proof-of-concept (PoC) for exploiting a file read vulnerability in the iconv library, as detailed in Ambionics Security's blog https://www.ambionics.io/blog/iconv-cve-2024-2961-p1.

介绍

# CVE-2024-2961 Remote File Read

This script is designed to exploit a vulnerability in systems that use the `iconv` library with improper handling of character encoding conversions, as described in **CVE-2024-2961**. The vulnerability allows an attacker to read arbitrary files on the server by leveraging PHP filter chains and improper encoding conversions.

The script automates the process of uploading a malicious payload, downloading the resulting file, and displaying its contents. It is based on the research and techniques detailed in the article: [Iconv CVE-2024-2961: Exploiting Character Encoding Conversions](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1).

---

## **How It Works**

The script exploits the following steps:

1. **Payload Creation**:
   - Generates a PHP filter chain payload that uses `iconv` encoding conversions to read arbitrary files on the server.
   - The payload is designed to bypass restrictions and read files like `/etc/passwd` or other sensitive files.

2. **File Upload**:
   - Sends a POST request to the target server's `admin-ajax.php` endpoint, simulating an image upload.
   - The payload is embedded in the request, tricking the server into processing it as a valid file.

3. **File Download**:
   - After the upload, the script downloads the resulting file, which contains the contents of the target file.
   - The script then extracts and displays the file contents.

---

## **Prerequisites**

- Python 3.x
- `requests` library (`pip install requests`)
- A vulnerable server that is susceptible to CVE-2024-2961 (e.g., a server using a vulnerable version of `iconv` and PHP).

---

## **Usage**

1. Clone the repository or download the script:
   ```bash
   git clone https://github.com/kyotozx/CVE-2024-2961-Remote-File-Read.git
   cd CVE-2024-2961-Remote-File-Read
   ```

2. Run the script:
   ```bash
   python3 lfi.py
   ```

3. Follow the prompts:
   - Enter the path of the file you want to read (e.g., `/etc/passwd`).
   - Enter a numeric ID for the upload (e.g., `1`).

4. The script will:
   - Upload the payload to the server.
   - Download the resulting file.
   - Display the contents of the target file.

---

## **Example**

```plaintext
Remote File Read Exploitation - CVE-2024-2961
Enter the path of the file you want to read (e.g., /etc/passwd): /etc/passwd
Enter a numeric ID for the upload (e.g., 1): 1
File uploaded successfully: http://blog.bigbang.htb/wp-content/uploads/2025/01/1-50.png
File content:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
```

---

## **Disclaimer**

This script is intended for **educational and authorized testing purposes only**. Do not use it on systems without explicit permission. The authors are not responsible for any misuse or damage caused by this tool.

---

## **Credits**

- Based on the research and techniques described in the article: [Iconv CVE-2024-2961: Exploiting Character Encoding Conversions](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1).
- Developed as a proof-of-concept to demonstrate the vulnerability.

---

### **References**

- [CVE-2024-2961](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2961)
- [Ambionics Blog: Iconv CVE-2024-2961](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1)

---

文件快照

 [4.0K]  /data/pocs/5825f6682a47a66f6b34a72fe34099403d00439b
├── [5.5K]  lfi.py
└── [3.2K]  README.md

0 directories, 2 files

备注