CVE-2024-24520 PoC — LeptonCMS 安全漏洞

Source

https://github.com/xF-9979/CVE-2024-24520

Associated Vulnerability

Title:LeptonCMS 安全漏洞 (CVE-2024-24520)
Description:LeptonCMS是Lepton项目的一套内容管理系统（CMS）。 LeptonCMS v.7.0.0版本存在安全漏洞，该漏洞源于允许本地攻击者通过upload.php文件执行任意代码。

Description

Arbitrary code execution vulnerability

Readme

# LEPTON-CMS
Arbitrary code execution vulnerability

BUG_Author:
xF_9979（Jin Han）

[VulnerabilityType Other]
Remote Code Execution Vulnerability

[Vendor of Product]
Lepton CMS


[Affected Product Code Base]
Lepton CMS - 7.0.0
[Affected Component]
1 ) Login with admin cred > https://127.0.0.1/LEPTONevy1ldfvvd/backend/login/index.php

![image](https://github.com/xF9979/LEPTON-CMS-/assets/108913864/6797bf14-3d9d-4efd-837f-7311d00fe158)


2 ) Go to Languages place > https://demos6.softaculous.com/LEPTONevy1ldfvvd/backend/languages/index.php?leptoken=acf433dcae00c2ce8b8dfz1708226799

![image](https://github.com/xF9979/LEPTON-CMS-/assets/108913864/90999bc0-6b94-473b-a8ef-19011c925efd)

 3 ) Upload upgrade.php file in languages place > <?php echo system('id'); ?>

 ![image](https://github.com/xF9979/LEPTON-CMS-/assets/108913864/809c4547-244e-4b80-8846-3466f752540f)

 ![image](https://github.com/xF9979/LEPTON-CMS-/assets/108913864/72b8f245-fad9-4758-8927-edd7d7caced7)

4 ) After uploading, you can see the code execution status
![image](https://github.com/xF9979/LEPTON-CMS-/assets/108913864/8d2914b8-30b2-44b6-90a2-fb9f41335e43)

File Snapshot


 [4.0K]  /data/pocs/86d7582ea60383db4dcf9769c5f2cac62c247e97
└── [1.1K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!