daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updated matcher & name

patch-1
Ritik Chaddha 2023-10-26 23:41:10 +05:30 committed by GitHub
parent ef209b0caa
commit 2150eed105
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
http/vulnerabilities/wordpress/blog-designer-pack-lfi.yaml → http/vulnerabilities/wordpress/blog-designer-pack-rce.yaml
View File

@ -1,14 +1,14 @@
id: blog-designer-pack-lfi
id: blog-designer-pack-rce
info:
name: News & Blog Designer Pack < 3.4.2 Remote Code Execution
author: iamnoooob, rootxharsh, pdresearch
name: News & Blog Designer Pack < 3.4.2 - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
News & Blog Designer Pack contains a local file inclusion vulnerability via user controlled $design variable extracted by POST parameter 'shrt_param' leading to Remote Code Execution via pearcmd.php. The vulnerability occurs within bdp_get_more_post function inside file bdp-ajax-functions.php.
reference:
- https://twitter.com/frycos/status/1717571552470819285
tags: wordpress,wp-plugin,lfi,wp,blogdesignerpack,wpscan,rce,unauth,wpscan,intrusive
tags: wordpress,wp-plugin,lfi,wp,blogdesignerpack,rce,intrusive
variables:
randomstr: "{{randstr_1}}"
@ -40,4 +40,8 @@ http:
matchers:
- type: dsl
dsl:
- 'contains(body_1, "\"success\":0") && contains(body_2,"channel pear.php.net") && contains(body_3, "{{randomstr}}")'
- 'contains(body_1, "\"success\":0")'
- 'contains(body_2,"channel pear.php.net")'
- 'contains_all(body_3, "{{randomstr}}", "success\":1")'
- 'contains(header_3, "application/json")'
condition: and