Skip to content

Add template CVE-2024-56145 #11421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 29, 2024
Merged

Add template CVE-2024-56145 #11421

merged 2 commits into from
Dec 29, 2024

Conversation

@jackhax
Copy link
Contributor

@jackhax jackhax commented Dec 29, 2024

Template / PR Information

Template Validation

I've validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

  • Setting Up a Vulnerable Lab:
mkdir exploit-craft && \
cd exploit-craft && \
# Configure DDEV project for Craft CMS
ddev config \
  --project-type=craftcms \
  --docroot=web \
  --create-docroot \
  --php-version="8.2" \
  --database="mysql:8.0" \
  --nodejs-version="20" && \
# Create the DDEV project
ddev start -y && \
# Create Craft CMS with the specified version
ddev composer create -y --no-scripts --no-interaction "craftcms/craft:5.0.0" && \
# Install the specific CMS version
ddev composer require "craftcms/cms:5.5.0" \
  --no-scripts \
  --no-interaction --with-all-dependencies && \
# Set the security key for Craft CMS
ddev craft setup/security-key && \
# Install Craft CMS
ddev craft install/craft \
    --username=admin \
    --password=password123 \
    [email protected] \
    --site-name=Testsite \
    --language=en \
    --site-url='$DDEV_PRIMARY_URL' && \
# Enable register_argc_argv for PHP
mkdir -p .ddev/php/ && \
echo "register_argc_argv = On" > .ddev/php/php.ini && \
ddev restart && \
# Final step, echo message and launch the project
echo 'Nice, ready to launch!' && \
ddev launch
  • Template debug
[DBG] [CVE-2024-56145] Dumped HTTP response http://exploit-craft.ddev.site?--configPath=/nuclei_test/6045662496

HTTP/1.1 503 Service Unavailable
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Date: Sun, 29 Dec 2024 07:58:21 GMT
Server: nginx

<br />
<b>Warning</b>:  mkdir(): Permission denied in <b>/var/www/html/vendor/yiisoft/yii2/helpers/BaseFileHelper.php</b> on line <b>711</b><br />
<br />
<b>Warning</b>:  mkdir(): No such file or directory in <b>/var/www/html/vendor/yiisoft/yii2/helpers/BaseFileHelper.php</b> on line <b>711</b><br />
/nuclei_test/6045662496 doesn't exist or isn't writable by PHP. Please fix that.
[CVE-2024-56145:word-1] [http] [critical] http://exploit-craft.ddev.site?--configPath=/nuclei_test/6045662496
[CVE-2024-56145:status-2] [http] [critical] http://exploit-craft.ddev.site?--configPath=/nuclei_test/6045662496
[CVE-2024-56145:status-3] [http] [critical] http://exploit-craft.ddev.site?--configPath=/nuclei_test/6045662496
(venv) jackady@Mac nuclei-templates %

Additional References:

@ehsandeep
Copy link
Member

ehsandeep commented Dec 29, 2024

@jackhax thanks for creating and sharing template, I've pushed minor update to matcher, can you confirm it works as expected with your local test setup?

@jackhax
Copy link
Contributor Author

jackhax commented Dec 29, 2024

@ehsandeep I have verified the template with the change and it works as intended with no issues in the matcher.

@ehsandeep ehsandeep merged commit 4607a93 into projectdiscovery:main Dec 29, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ehsandeep ehsandeep ehsandeep approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Craft CMS pre-authentication RCE

2 participants

@jackhax @ehsandeep