Advertisement






WordPress wp-bs3-rad Themes Unauthorized Insert File Vulnerability

CVE Category Price Severity
CVE-2018-9345 CWE-264 $500 High
Author Risk Exploitation Type Date
John Doe Critical Remote 2019-03-06
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019030057

Below is a copy:

WordPress wp-bs3-rad Themes Unauthorized Insert File Vulnerability
####################################################################

# Exploit Title : WordPress wp-bs3-rad Themes Unauthorized Insert File Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 06/03/2019
# Vendor Homepage : wordpress.org ~ grupoabbsolute.com
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Impact :
***********
WordPress wp-bs3-rad Themes is prone to an arbitrary file upload vulnerability.  

An attacker may leverage this issue to upload arbitrary files to the affected computer; 

this can result in arbitrary code execution within the context of the vulnerable application. 

Weaknesses in this category are related to the management of permissions, 

privileges, and other security features that are used to perform access control.

####################################################################

# Arbitrary File Upload Exploit :
****************************
/wp-content/themes/wp-bs3-rad/ajax-file-upload/index.php

# Vulnerable Source Code :
*************************
<!doctype html>
<head>
<link rel="stylesheet" href="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.1/css/bootstrap.min.css" type="text/css">
<script src="http://malsup.github.com/jquery.form.js"></script>
<script src="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.1/js/bootstrap.min.js"></script>
<script src="js/bootstrap.filestyle.js"></script>
<style>
body
{
background-color: transparent;
}
.contenedor{
position: absolute; 
top: 0px;
left: 0px;
}
form { display: block; border-radius: 10px; padding: 0px;
margin-left: 0px;
padding-bottom: 30px;
}
#progress { position:relative; width:400px; border: 1px solid #ddd; padding: 1px; border-radius: 3px; }
#bar { background-color: #a81b45; width:0%; height:20px; border-radius: 0px; }
#percent { position:absolute; display:inline-block; top:3px; left:48%; color:#FFFFFF; }
        .form-up{
          height: 43px;
          width: 445px;
  border: 2px solid #ddd;
  background-color:#fff;
        }
.inputSubir {
width: 135px;
height: 35px;
margin: 0 0 1em 0;
border: 0px;
background-image:url(imagenes/boton-03-en.png); 
}
.archivos{
display: block;
  float: right;
  padding-top: 10px;
}
.bootstrap-filestyle
{
display: inline-block;
position: absolute;
top: 8px;
left: 150px;
}
.gcb-button {
    background: none repeat scroll 0 0 #a91f44;
    border: medium none;
    border-radius: 7px;
    color: #fff;
    font-family: "open_sansregular","Open Sans",sans-serif;
    padding: 5px 10px;
    text-transform: uppercase;
    height: 27px;
}
</style>
</head>
<body>
<div class="contenedor">
<div class="form-up">
<form id="myForm" action="upload.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="lng" value="en" />
     <input type="submit" value="" class="inputSubir" >
     <input type="file" size="60" name="myfile" data-max-size="32154" class="archivos" required /><br>
     
                     Resolve operation: <strong>7 + 6</strong> <input type="text" name="sum" size="3" />
                    <input type="hidden" name="xvar" value="13" />
 </form>
</div> 
 <br>
 <br><br>
 <div id="progress">
        <div id="bar"></div>
        <div id="percent">0%</div >
</div>
<br/>
    
<div id="xmessage"></div>
</div>

<script>
$(document).ready(function()
{

$(":file").filestyle(
{
icon: false,
input: false,
buttonName: 'gcb-button',
buttonText: 'Choose file'
}
);

var options = { 
    beforeSend: function() 
    {
    $("#progress").show();
    //clear everything
    $("#bar").width('0%');
    $("#message").html("");
$("#percent").html("0%");
    },
    uploadProgress: function(event, position, total, percentComplete) 
    {
    $("#bar").width(percentComplete+'%');
    $("#percent").html(percentComplete+'%');

    
    },
    success: function(responseText ) 
    {
        $("#bar").width('100%');
    $("#percent").html('100%');
        alert(responseText);
    },
complete: function(response) 
{

},
error: function()
{
$("#message").html("<font color='red'>ERROR: unable to upload files</font>");

}
     
}; 

     $("#myForm").ajaxForm(options);

});

</script>
</body>


</html>

####################################################################

# Example Vulnerable Sites :
*************************
[+] granadaconventionbureau.org/wp-content/themes/wp-bs3-rad/ajax-file-upload/index.php

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.