WordPress Contact Form 7 plugin version 5.3.1 suffers from a remote shell upload vulnerability.
fb51b96b8a6834e0059bf0f53bbb280b
# Exploit Title: Wordpress Plugin Contact Form 7 5.3.1 - Unrestricted File Upload
# Date: 12/20/2020
# Exploit Author: Ramón Vila Ferreres (@ramonvfer)
# Vendor Homepage: https://contactform7.com
# Software Link: https://wordpress.org/plugins/contact-form-7/
# Version: 5.3.1 and below
# Tested on: Windows 10 1909, Ubuntu 20.4
Explanation
---------------------------------------------------------------------
ContactForm7 version 5.3.1 and below doesn't properly sanitize
uploaded filenames to prevent Arbitrary File Upload that can lead
to full server takeover in the worst-case scenario.
This happens in the wpcf7_antiscript_file_name function, that fails
to sanitize the provided filename if it ends with any Unicode special
character ranging from U+0000 (null) to U+001F (us).
The function matches both the file name and the file extension against
an exclusion regex. Appending any unicode special character to the
file extension results in a complete bypass of this verification (as
the regex doesn't match) leading to the Unrestricted File Upload.
Exploit
---------------------------------------------------------------------
1. Change the file extension of the file you want to upload (e.g:
"shell.php") to its equivalent with the special character ending (in
this case "shell.php" (appended U+0000))
2. Upload the file using ContactForm7 file upload feature in the
target website.
3. Go to <target.com>/wp-content/uploads/wpcf7_uploads/shell.php
Note the special character at the end
Note that the file upload location may vary as it is configurable.
4. Now you have uploaded your file!