关联漏洞
标题:
dicer 安全漏洞
(CVE-2022-24434)
描述:dicer是mscdex个人开发者的一个非常快速的流式多部分解析器。 dicer 存在安全漏洞。恶意攻击者可以将修改后的表单发送到服务器,并使 nodejs 服务崩溃。 攻击者可以一次又一次地发送有效载荷,从而使服务不断崩溃。
介绍
# CVE-2022-24434 – PoC for Dicer
This repository contains a Proof-of-Concept (PoC) for **CVE-2022-24434**, a vulnerability affecting the [Dicer](https://www.npmjs.com/package/dicer) npm package.
> **PoC target version:** **0.3.1** (ensure the dicer code used is exactly v0.3.1)
---
## 📂 Project Structure
Make sure the directory is structured like this:
.
├── dicer/ # Cloned Dicer repo (must be v0.3.1)
├── server.js # Vulnerable server script
└── dicer_poc.js # Exploit PoC script
yaml
Copy code
---
## ⚙️ Setup
### Option A — clone the repository and checkout v0.3.1 (recommended if using the repo)
```bash
git clone https://github.com/mscdex/dicer.git
cd dicer
# fetch tags and switch to v0.3.1 (tag name may be "v0.3.1" or "0.3.1")
git fetch --all --tags
# try the tag checkout (if tag is 'v0.3.1')
git checkout tags/v0.3.1 -b poc-0.3.1 || git checkout tags/0.3.1 -b poc-0.3.1
npm install # install dicer repo dependencies if needed
cd ..
Option B — install the package at version 0.3.1 (if you prefer using npm instead of cloning repo)
If you prefer not to clone the full repository, you can create a local node_modules with the specific version:
bash
Copy code
mkdir tmp_project && cd tmp_project
npm init -y
npm install dicer@0.3.1
# copy the installed package folder node_modules/dicer into the parent folder as 'dicer'
cp -R node_modules/dicer ../dicer
cd ..
rm -rf tmp_project
Important: The PoC is written to run against the dicer source folder inside this project root. Ensure the folder named dicer in the root corresponds to version 0.3.1.
└── poc/
├── dicer/ # Cloned Dicer repo (must be v0.3.1)
├── server.js # Vulnerable server script (place here)
└── dicer_poc.js # Exploit PoC script (place here)
▶️ Running the PoC
Start the vulnerable server:
bash
Copy code
node server.js
In a separate terminal, run the exploit PoC:
bash
Copy code
node dicer_poc.js
🧩 Notes
The PoC depends on behavior present in dicer v0.3.1. Using newer or patched versions may not reproduce the issue.
If you cloned the repo and cannot find the tag, check git tag to list available tags. If there is no 0.3.1 tag, use the npm-install method above and confirm the package.json inside dicer/ shows version 0.3.1.
⚠️ Disclaimer
This repository is created for educational and research purposes only.
Do not use this PoC against systems without explicit authorization.
The author is not responsible for any misuse or damages caused.
文件快照
[4.0K] /data/pocs/ca5e0360ac5f5a3e1172ea79973bdab4a7f2c98e
├── [5.0K] dicer_poc.js
├── [2.5K] README.md
└── [1.2K] server.js
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。