[+] Exploit Title ; Wordpress wp-File-Manager plugin Version 1.9 SSRF/XSPA Vulnerability [+] Date : 2017-01-14 [+] Author : 0P3N3R From IRANIAN ETHICAL HACKERS [+] Vendor Homepage : https://wordpress.org/plugins/wp-file-manager/ [+] Version : 1.9 [+] Forum : irethicalhackers.com/forums [+] Dork : N/A [+] Tested On : windows 10 - kali linux 2.0 [+] Contact : https://telegram.me/WebServer [+] Description : [!] FILE MANAGER PROVIDES YOU FEATURES TO EDIT, DELETE, UPLOAD, DOWNLOAD, COPY AND PASTE FILES AND FOLDERS. YOU CAN EASILY COPY, MOVE FILES FOLDER OR ANY FILES FROM ONE LOCATION TO ANOTHER LOCATION. [+] Exploitation Technique: [!] Local [+] Severity Level: [!] Medium [+] poc : [!] Go to the File Manager section So you can upload the file. [!] You can upload files through a link and a computer [!] Insert a link in the box instead of drag and drop ‍ [!] In this vulnerability, we only use port scanning [!] If you use the following payload, you can see the server SSH version [!] For View Results,Right Click on uploaded file and select preview. Now you can see ssh version [+] For Ex : [!] http://localhost:port(for Ex :22)/YourFile.jpg [+] ScreenShot : [!] http://s6.uplod.ir/i/00908/o78hj8pp1i9u.png [+] Video : [!] https://www.youtube.com/watch?v=qCC-omOEHDU&feature=youtu.be [!] We Are : [!] Mehrdad_Ice - 0P3N3R