POC详情: 861ed39ab1945e2be4ab491be8d2e6a0be0ac6d3

来源
https://github.com/dn9uy3n/Check-WP-CVE-2020-35489
关联漏洞
标题: Wordpress contact-form-7 代码问题漏洞 (CVE-2020-35489)
描述:Wordpress contact-form-7是Wordpress基金会的一个为Wordpress提供表单的插件。 contact-form-7 (aka Contact Form 7) plugin 5.3.2之前版本存在安全漏洞,该漏洞允许不受限制的文件上传和远程代码执行,因为文件名可能包含特殊字符。
描述
The (WordPress) website test script can be exploited for Unlimited File Upload via CVE-2020-35489
介绍
# Check-WP-CVE-2020-35489

## CVE-2020-35489
The CVE-2020-35489 is discovered in the WordPress plugin Contact Form 7 5.3.1 and older versions. By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website.

An estimated **5 million** websites were affected.

The PoC will be displayed on December 31, 2020, to give users the time to update.

## Reference
https://wpscan.com/vulnerability/10508

https://contactform7.com/2020/12/17/contact-form-7-532/#more-38314

https://cwe.mitre.org/data/definitions/434.html

## Run script
```
$ python3 check_CVE-2020-35489.py -d domaintest.com

Contact Form 7 version: 5.1.3
domaintest.com is vulnerable!
```

```
$ python3 check_CVE-2020-35489.py -i in.txt -o out.txt
```
文件快照

 [4.0K]  /data/pocs/861ed39ab1945e2be4ab491be8d2e6a0be0ac6d3
├── [2.7K]  check_CVE-2020-35489.py
├── [1.5K]  factory.py
├── [ 823]  README.md
└── [   9]  requirements.txt

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。