WordPress wp-bs3-rad Themes Unauthorized File Insertation

1. ####################################################################
2.  
3. # Exploit Title : WordPress wp-bs3-rad Themes Unauthorized File Insertation
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 06/03/2019
7. # Vendor Homepage : wordpress.org ~ grupoabbsolute.com
8. # Tested On : Windows and Linux
9. # Category : WebApps
10. # Exploit Risk : Medium
11. # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ]
12. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
13. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
14. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
15.  
16. ####################################################################
17.  
18. # Impact :
19. ***********
20. WordPress wp-bs3-rad Themes is prone to an arbitrary file upload vulnerability.
21.  
22. An attacker may leverage this issue to upload arbitrary files to the affected computer;
23.  
24. this can result in arbitrary code execution within the context of the vulnerable application.
25.  
26. Weaknesses in this category are related to the management of permissions,
27.  
28. privileges, and other security features that are used to perform access control.
29.  
30. ####################################################################
31.  
32. # Arbitrary File Upload Exploit :
33. ****************************
34. /wp-content/themes/wp-bs3-rad/ajax-file-upload/index.php
35.  
36. # Vulnerable Source Code :
37. *************************
38. <!doctype html>
39. <head>
40. <link rel="stylesheet" href="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.1/css/bootstrap.min.css" type="text/css">
41. <script src="http://malsup.github.com/jquery.form.js"></script>
42. <script src="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.1/js/bootstrap.min.js"></script>
43. <script src="js/bootstrap.filestyle.js"></script>
44. <style>
45. body
46. {
47. background-color: transparent;
48. }
49. .contenedor{
50. position: absolute;
51. top: 0px;
52. left: 0px;
53. }
54. form { display: block; border-radius: 10px; padding: 0px;
55. margin-left: 0px;
56. padding-bottom: 30px;
57. }
58. #progress { position:relative; width:400px; border: 1px solid #ddd; padding: 1px; border-radius: 3px; }
59. #bar { background-color: #a81b45; width:0%; height:20px; border-radius: 0px; }
60. #percent { position:absolute; display:inline-block; top:3px; left:48%; color:#FFFFFF; }
61. .form-up{
62. height: 43px;
63. width: 445px;
64. border: 2px solid #ddd;
65. background-color:#fff;
66. }
67. .inputSubir {
68. width: 135px;
69. height: 35px;
70. margin: 0 0 1em 0;
71. border: 0px;
72. background-image:url(imagenes/boton-03-en.png);
73. }
74. .archivos{
75. display: block;
76. float: right;
77. padding-top: 10px;
78. }
79. .bootstrap-filestyle
80. {
81. display: inline-block;
82. position: absolute;
83. top: 8px;
84. left: 150px;
85. }
86. .gcb-button {
87. background: none repeat scroll 0 0 #a91f44;
88. border: medium none;
89. border-radius: 7px;
90. color: #fff;
91. font-family: "open_sansregular","Open Sans",sans-serif;
92. padding: 5px 10px;
93. text-transform: uppercase;
94. height: 27px;
95. }
96. </style>
97. </head>
98. <body>
99. <div class="contenedor">
100. <div class="form-up">
101. <form id="myForm" action="upload.php" method="post" enctype="multipart/form-data">
102. <input type="hidden" name="lng" value="en" />
103. <input type="submit" value="" class="inputSubir" >
104. <input type="file" size="60" name="myfile" data-max-size="32154" class="archivos" required /><br>
105.  
106. Resolve operation: <strong>7 + 6</strong> <input type="text" name="sum" size="3" />
107. <input type="hidden" name="xvar" value="13" />
108. </form>
109. </div>
110. <br>
111. <br><br>
112. <div id="progress">
113. <div id="bar"></div>
114. <div id="percent">0%</div >
115. </div>
116. <br/>
117.  
118. <div id="xmessage"></div>
119. </div>
120.  
121. <script>
122. $(document).ready(function()
123. {
124.  
125. $(":file").filestyle(
126. {
127. icon: false,
128. input: false,
129. buttonName: 'gcb-button',
130. buttonText: 'Choose file'
131. }
132. );
133.  
134. var options = {
135. beforeSend: function()
136. {
137. $("#progress").show();
138. //clear everything
139. $("#bar").width('0%');
140. $("#message").html("");
141. $("#percent").html("0%");
142. },
143. uploadProgress: function(event, position, total, percentComplete)
144. {
145. $("#bar").width(percentComplete+'%');
146. $("#percent").html(percentComplete+'%');
147.  
148.  
149. },
150. success: function(responseText )
151. {
152. $("#bar").width('100%');
153. $("#percent").html('100%');
154. alert(responseText);
155. },
156. complete: function(response)
157. {
158.  
159. },
160. error: function()
161. {
162. $("#message").html("<font color='red'>ERROR: unable to upload files</font>");
163.  
164. }
165.  
166. };
167.  
168. $("#myForm").ajaxForm(options);
169.  
170. });
171.  
172. </script>
173. </body>
174.  
175.  
176. </html>
177.  
178. ####################################################################
179.  
180. # Example Vulnerable Sites :
181. *************************
182. [+] granadaconventionbureau.org/wp-content/themes/wp-bs3-rad/ajax-file-upload/index.php
183.  
184. ####################################################################
185.  
186. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
187.  
188. ####################################################################