Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : WordPress wp-bs3-rad Themes Unauthorized File Insertation
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 06/03/2019
- # Vendor Homepage : wordpress.org ~ grupoabbsolute.com
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ####################################################################
- # Impact :
- ***********
- WordPress wp-bs3-rad Themes is prone to an arbitrary file upload vulnerability.
- An attacker may leverage this issue to upload arbitrary files to the affected computer;
- this can result in arbitrary code execution within the context of the vulnerable application.
- Weaknesses in this category are related to the management of permissions,
- privileges, and other security features that are used to perform access control.
- ####################################################################
- # Arbitrary File Upload Exploit :
- ****************************
- /wp-content/themes/wp-bs3-rad/ajax-file-upload/index.php
- # Vulnerable Source Code :
- *************************
- <!doctype html>
- <head>
- <link rel="stylesheet" href="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.1/css/bootstrap.min.css" type="text/css">
- <script src="http://malsup.github.com/jquery.form.js"></script>
- <script src="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.1/js/bootstrap.min.js"></script>
- <script src="js/bootstrap.filestyle.js"></script>
- <style>
- body
- {
- background-color: transparent;
- }
- .contenedor{
- position: absolute;
- top: 0px;
- left: 0px;
- }
- form { display: block; border-radius: 10px; padding: 0px;
- margin-left: 0px;
- padding-bottom: 30px;
- }
- #progress { position:relative; width:400px; border: 1px solid #ddd; padding: 1px; border-radius: 3px; }
- #bar { background-color: #a81b45; width:0%; height:20px; border-radius: 0px; }
- #percent { position:absolute; display:inline-block; top:3px; left:48%; color:#FFFFFF; }
- .form-up{
- height: 43px;
- width: 445px;
- border: 2px solid #ddd;
- background-color:#fff;
- }
- .inputSubir {
- width: 135px;
- height: 35px;
- margin: 0 0 1em 0;
- border: 0px;
- background-image:url(imagenes/boton-03-en.png);
- }
- .archivos{
- display: block;
- float: right;
- padding-top: 10px;
- }
- .bootstrap-filestyle
- {
- display: inline-block;
- position: absolute;
- top: 8px;
- left: 150px;
- }
- .gcb-button {
- background: none repeat scroll 0 0 #a91f44;
- border: medium none;
- border-radius: 7px;
- color: #fff;
- font-family: "open_sansregular","Open Sans",sans-serif;
- padding: 5px 10px;
- text-transform: uppercase;
- height: 27px;
- }
- </style>
- </head>
- <body>
- <div class="contenedor">
- <div class="form-up">
- <form id="myForm" action="upload.php" method="post" enctype="multipart/form-data">
- <input type="hidden" name="lng" value="en" />
- <input type="submit" value="" class="inputSubir" >
- <input type="file" size="60" name="myfile" data-max-size="32154" class="archivos" required /><br>
- Resolve operation: <strong>7 + 6</strong> <input type="text" name="sum" size="3" />
- <input type="hidden" name="xvar" value="13" />
- </form>
- </div>
- <br>
- <br><br>
- <div id="progress">
- <div id="bar"></div>
- <div id="percent">0%</div >
- </div>
- <br/>
- <div id="xmessage"></div>
- </div>
- <script>
- $(document).ready(function()
- {
- $(":file").filestyle(
- {
- icon: false,
- input: false,
- buttonName: 'gcb-button',
- buttonText: 'Choose file'
- }
- );
- var options = {
- beforeSend: function()
- {
- $("#progress").show();
- //clear everything
- $("#bar").width('0%');
- $("#message").html("");
- $("#percent").html("0%");
- },
- uploadProgress: function(event, position, total, percentComplete)
- {
- $("#bar").width(percentComplete+'%');
- $("#percent").html(percentComplete+'%');
- },
- success: function(responseText )
- {
- $("#bar").width('100%');
- $("#percent").html('100%');
- alert(responseText);
- },
- complete: function(response)
- {
- },
- error: function()
- {
- $("#message").html("<font color='red'>ERROR: unable to upload files</font>");
- }
- };
- $("#myForm").ajaxForm(options);
- });
- </script>
- </body>
- </html>
- ####################################################################
- # Example Vulnerable Sites :
- *************************
- [+] granadaconventionbureau.org/wp-content/themes/wp-bs3-rad/ajax-file-upload/index.php
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Add Comment
Please, Sign In to add comment