CVE-2022-24785 PoC — Moment.js 路径遍历漏洞

Source

https://github.com/pS3ud0RAnD0m/cve-2022-24785-poc-lab

Associated Vulnerability

Title:Moment.js 路径遍历漏洞 (CVE-2022-24785)
Description:Moment.js是一个 JavaScript 日期库。用于解析、验证、操作和格式化日期。 Moment.js 1.0.1版本至2.29.1版本存在路径遍历漏洞。攻击者利用该漏洞可以访问存储在web根文件夹之外的文件和目录。

Description

Moment.js vuln lab

Readme

## Overview
This is a simple Node Express app used to explore Moment.js' path traversal vuln (CVE-2022-24785).

## Setup
```bash
git clone https://github.com/pS3ud0RAnD0m/momentjs.git
cd momentjs
cat package.json # Change 'moment' to '2.29.4' if wanting to test bypasses of the current patch.
npm install
node app.js
```

File Snapshot


 [4.0K]  /data/pocs/6fadf1fe6d9dc9a5c8a35511799a9ebbd73fdfe0
├── [6.1K]  app.js
├── [4.0K]  assets
│   ├── [4.0K]  css
│   │   ├── [143K]  bootstrap.css
│   │   ├── [380K]  bootstrap.css.map
│   │   ├── [ 26K]  bootstrap-theme.css
│   │   ├── [ 47K]  bootstrap-theme.css.map
│   │   └── [ 798]  dark-theme.css
│   ├── [4.0K]  html
│   │   ├── [3.2K]  home.html
│   │   ├── [7.0K]  moment.html
│   │   └── [2.1K]  upload.html
│   ├── [4.0K]  img
│   │   └── [4.2K]  favicon.ico
│   └── [4.0K]  js
│       ├── [ 36K]  bootstrap.min.js
│       └── [ 85K]  jquery.min.js
├── [ 34K]  LICENSE
├── [ 130]  package.json
├── [ 57K]  package-lock.json
├── [ 321]  README.md
└── [4.0K]  uploads
    ├── [  63]  test1.js
    ├── [ 107]  test2.js
    ├── [ 363]  test3.js
    └── [ 137]  test4.txt

6 directories, 20 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!