header-logo
Suggest Exploit
vendor:
WordPress
by:
T3N38R15
7.5
CVSS
HIGH
Local File Inclusion
98
CWE
Product Name: WordPress
Affected Version From: 1.5
Affected Version To: 1.5
Patch Exists: NO
Related CWE: N/A
CPE: a:wordpress:wordpress:1.5
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows/Linux
2015

website contact form with file upload 1.5 Exploit Local File Inclusion

The affected file is /wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/image-processor.php which includes the file /wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/helpers/demo.php. The exploit can be used like that : /wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/image-processor.php?demo=../test which would include the test.php file in the same directory because we need to back navigate from the directory ./filters/../test.php. Now we can include all php files on the system.

Mitigation:

Ensure that the application is not vulnerable to Local File Inclusion (LFI) attacks by validating user input and restricting access to files and directories.
Source

Exploit-DB raw data:

# Exploit Title: website contact form with file upload 1.5 Exploit Local File Inclusion
# Google Dork: inurl:"/plugins//website-contact-form-with-file-upload/"
# Date: 07.05.2015
# Exploit Author: T3N38R15
# Software Link: https://wordpress.org/plugins/website-contact-form-with-file-upload/
# Version: 1.5
# Tested on: Windows/Linux

The affected file is /wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/image-processor.php
it include the file /wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/helpers/demo.php
and at the line 23-26 are the inclusion.


			$file = LIB_PATH . '/filters/' . $name . '.php';
			if (!file_exists($file))
				throw new Exception("Invalid demo: {$name}");
			include($file);


The exploit can be used like that : /wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/image-processor.php?demo=../test
This version would include the test.php file in the same directory because we need to back navigate from the directory ./filters/../test.php
Now we can include all php files on the system.

Proof of concept : http://localhost/wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/image-processor.php?demo=../test

Greets to Team Madleets/leets.pro
Regards T3N38R15

Navigation

Suggest Exploit

Services By CQR