[+] Exploit Title ; Wordpress File Manager plugin Version 5.0.1 SSRF/XSPA Vulnerability [+] Date : 2018-01-21 [+] Author : 0P3N3R From IRANIAN ETHICAL HACKERS [+] Vendor Homepage : https://wordpress.org/plugins/file-manager/ [+] Version : 5.0.1 [+] Forum : irethicalhackers.com/forums [+] Dork : inurl:/wp-content/plugins/file-manager [+] Tested On : windows 10 - kali linux 2.0 [+] Contact : https://telegram.me/WebServer [+] Description : [!] Most robust and powerful file manager for wordpress. You can upload, delete, copy, move, rename, archive, extract files. You don’t need to worry about ftp any more. It is realy simple and easy to use. Just install the plugin following standard wordpress plugin install process and visit your dashbord. You will find a side menu called file manager. Just click on it to open file manager. [+] Exploitation Technique: [!] Local [+] Severity Level: [!] low [+] poc : [!] Go to the File Manager section So you can upload the file. [!] You can upload files through a link and a computer [!] Insert a link in the box instead of drag and drop ‍ [!] In this vulnerability, we only use port scanning [!] If you use the following payload, you can see the server SSH version [!] For View Results,Right Click on uploaded file and select preview. Now you can see ssh version [+] For Ex : [!] http://localhost:port(for Ex :22)/YourFile.jpg [+] ScreenShot : [!] http://s6.uplod.ir/i/00912/xgyu41v0kwh6.png [+] Video : [!] https://www.aparat.com/v/l5xHz [+] We Are : [!] Mehrdad_Ice [+] 0P3N3R [+] BaxTurk24