########################################################################## # Exploit Title : WordPress WebFatorial-FoodNetwork Themes Unauthorized File Insertation # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 06/03/2019 # Vendor Homepage : foodnetwork.com.br # Information Link : themetix.com/webfatorial-foodnetwork/ # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos ########################################################################## # Impact : *********** WordPress WebFatorial-FoodNetwork Themes is prone to an arbitrary file upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. ########################################################################## # Exploit : ********* /wp-content/themes/webfatorial-foodnetwork/js/jupload/index.php # Directory File Path : ******************** /wp-content/uploads/[YEAR]/[MONTH]/..... Note : Search for reasonable file path. ########################################################################## # Vulnerable Source Code : ************************ <!DOCTYPE HTML> <!-- /* * jQuery File Upload Plugin Demo * https://github.com/blueimp/jQuery-File-Upload * * Copyright 2010, Sebastian Tschan * https://blueimp.net * * Licensed under the MIT license: * https://opensource.org/licenses/MIT */ --> <html lang="en"> <head> <!-- Force latest IE rendering engine or ChromeFrame if installed --> <!--[if IE]> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <![endif]--> <meta charset="utf-8"> <title>jQuery File Upload Demo</title> <meta name="description" content="File Upload widget with multiple file selection, drag&amp;drop support, progress bars, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads and client-side image resizing. Works with any server-side platform (PHP, Python, Ruby on Rails, Java, Node.js, Go etc.) that supports standard HTML form file uploads."> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <!-- Bootstrap styles --> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"> <!-- Generic page styles --> <link rel="stylesheet" href="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/css/style.css"> <!-- blueimp Gallery styles --> <link rel="stylesheet" href="https://blueimp.github.io/Gallery/css/blueimp-gallery.min.css"> <!-- CSS to style the file input field as button and adjust the Bootstrap progress bars --> <link rel="stylesheet" href="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/css/jquery.fileupload.css"> <link rel="stylesheet" href="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/css/jquery.fileupload-ui.css"> <!-- CSS adjustments for browsers with JavaScript disabled --> <noscript><link rel="stylesheet" href="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/css/jquery.fileupload-noscript.css"></noscript> <noscript><link rel="stylesheet" href="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/css/jquery.fileupload-ui-noscript.css"></noscript> <body> <!-- The file upload form used as target for the file upload widget --> <form id="fileupload" action="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/" method="POST" enctype="multipart/form-data"> <!-- Redirect browsers with JavaScript disabled to the origin page --> <noscript><input type="hidden" name="redirect" value="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/"></noscript> <!-- The fileupload-buttonbar contains buttons to add/delete files and start/cancel the upload --> <div class="row fileupload-buttonbar"> <div class="col-lg-7"> <!-- The fileinput-button span is used to style the file input field as button --> <span class="btn btn-success fileinput-button" style="background: #e1e1e1;border: 1px solid;"> <i class="glyphicon glyphicon-plus" style="color: #000000;"></i> <span style="color:#000000;">Selecionar Vídeo</span> <input type="file" name="files[]" multiple> <input type="hidden" name="id_video" id="id_video" value=""> </span> <!--<button type="submit" class="btn btn-primary start"> <i class="glyphicon glyphicon-upload"></i> <span>Start upload</span> </button> <button type="reset" class="btn btn-warning cancel"> <i class="glyphicon glyphicon-ban-circle"></i> <span>Cancel upload</span> </button> <button type="button" class="btn btn-danger delete"> <i class="glyphicon glyphicon-trash"></i> <span>Delete</span> </button> <input type="checkbox" class="toggle">--> <!-- The global file processing state --> <!--<span class="fileupload-process"></span>--> </div> <!-- The global progress state --> <div class="col-lg-5 fileupload-progress fade"> <!-- The global progress bar --> <!--<div class="progress progress-striped active" role="progressbar" aria-valuemin="0" aria-valuemax="100"> <div class="progress-bar progress-bar-success" style="width:0%;"></div> </div>--> <!-- The extended global progress state --> <div class="progress-extended">&nbsp;</div> </div> </div> <!-- The table listing the files available for upload/download --> <table role="presentation" class="table table-striped"><tbody class="files"></tbody></table> </form> <!-- The blueimp Gallery widget --> <div id="blueimp-gallery" class="blueimp-gallery blueimp-gallery-controls" data-filter=":even"> <div class="slides"></div> <h3 class="title"></h3> <a class="prev">‹</a> <a class="next">›</a> <a class="close">×</a> <a class="play-pause"></a> <ol class="indicator"></ol> </div> <!-- The template to display files available for upload --> <script id="template-upload" type="text/x-tmpl"> {% for (var i=0, file; file=o.files[i]; i++) { %} <tr class="template-upload fade"> <td> <span class="preview"></span> </td> <td> <p class="name">{%=file.name%}</p> <strong class="error text-danger"></strong> </td> <td> <p class="size">Processing...</p> <div class="progress progress-striped active" role="progressbar" aria-valuemin="0" aria-valuemax="100" aria-valuenow="0"><div class="progress-bar progress-bar-success" style="width:0%;"></div></div> </td> <td> {% if (!i && !o.options.autoUpload) { %} <button class="btn btn-primary start" disabled> <i class="glyphicon glyphicon-upload"></i> <span>Carregar</span> </button> {% } %} {% if (!i) { %} <button class="btn btn-warning cancel"> <i class="glyphicon glyphicon-ban-circle"></i> <span>Cancelar</span> </button> {% } %} <br><br>Clique em Carregar para enviar seu vídeo. </td> </tr> {% } %} </script> <!-- The template to display files available for download --> <script id="template-download" type="text/x-tmpl"> alert(o.files.count()); {% for (var i=0, file; file=o.files[i]; i++) { %} <tr class="template-download fade"> <td> <span class="preview"> {% if (file.thumbnailUrl) { %} <a href="{%=file.url%}" title="{%=file.name%}" download="{%=file.name%}" data-gallery><img src="{%=file.thumbnailUrl%}"></a> {% } %} </span> </td> <td> <p class="name"> {% if (file.url) { %} <a id="link_video" href="{%=file.url%}" title="{%=file.name%}" download="{%=file.name%}" {%=file.thumbnailUrl?'data-gallery':''%}>{%=file.name%}</a> {% } else { %} <span>{%=file.name%}</span> {% } %} </p> {% if (file.error) { %} <div><span class="label label-danger">Error</span> {%=file.error%}</div> {% } %} </td> <td> <span class="size">{%=o.formatFileSize(file.size)%}</span> </td> <td> {% if (file.deleteUrl) { %} <button class="btn btn-danger delete" data-type="{%=file.deleteType%}" data-url="{%=file.deleteUrl%}"{% if (file.deleteWithCredentials) { %} data-xhr-fields='{"withCredentials":true}'{% } %}> <i class="glyphicon glyphicon-trash"></i> <span>Delete</span> </button> <input type="checkbox" name="delete" value="1" class="toggle"> {% } else { %} <button class="btn btn-warning cancel"> <i class="glyphicon glyphicon-ban-circle"></i> <span>Cancel</span> </button> {% } %} </td> </tr> {% } %} </script> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script> <!-- The jQuery UI widget factory, can be omitted if jQuery UI is already included --> <script src="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/js/vendor/jquery.ui.widget.js"></script> <!-- The Templates plugin is included to render the upload/download listings --> <script src="https://blueimp.github.io/JavaScript-Templates/js/tmpl.min.js"></script> <!-- The Load Image plugin is included for the preview images and image resizing functionality --> <script src="https://blueimp.github.io/JavaScript-Load-Image/js/load-image.all.min.js"></script> <!-- The Canvas to Blob plugin is included for image resizing functionality --> <script src="https://blueimp.github.io/JavaScript-Canvas-to-Blob/js/canvas-to-blob.min.js"></script> <!-- Bootstrap JS is not required, but included for the responsive demo navigation --> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> <!-- blueimp Gallery script --> <script src="https://blueimp.github.io/Gallery/js/jquery.blueimp-gallery.min.js"></script> <!-- The Iframe Transport is required for browsers without support for XHR file uploads --> <script src="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/js/jquery.iframe-transport.js"></script> <!-- The basic File Upload plugin --> <script src="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/js/jquery.fileupload.js"></script> <!-- The File Upload processing plugin --> <script src="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/js/jquery.fileupload-process.js"></script> <!-- The File Upload image preview & resize plugin --> <script src="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/js/jquery.fileupload-image.js"></script> <!-- The File Upload audio preview plugin --> <script src="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/js/jquery.fileupload-audio.js"></script> <!-- The File Upload video preview plugin --> <script src="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/js/jquery.fileupload-video.js"></script> <!-- The File Upload validation plugin --> <script src="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/js/jquery.fileupload-validate.js"></script> <!-- The File Upload user interface plugin --> <script src="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/js/jquery.fileupload-ui.js"></script> <!-- The main application script --> <script src="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/js/main.js"></script> <!-- The XDomainRequest Transport is included for cross-domain file deletion for IE 8 and IE 9 --> <!--[if (gte IE 8)&(lt IE 10)]> <script src="http://foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/js/cors/jquery.xdr-transport.js"></script> <![endif]--> </body> </html> ########################################################################## # Example Vulnerable Site : ************************* [+] foodnetwork.com.br/wp-content/themes/webfatorial-foodnetwork/js/jupload/index.php ########################################################################## # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ##########################################################################