Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : WordPress 4.8 Ait-ThemesClub TemplatePreview 1.8.1 RFI Open Redirection
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 28/03/2019
- # Vendor Homepage : ait-themes.club
- # Software Information Link : ait-themes.club/wordpress-themes/
- ait-themes.club/documentation/
- themeforest.net/user/lumbermandesigns
- # Software Affected Version : WordPress Version 4.8 - 5.1.1 - Theme Version 1.8.1
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : High
- # Google Dorks : inurl:/template-preview.php?url=
- # Vulnerability Type :
- CWE-601 [ URL Redirection to Untrusted Site ('Open Redirect') ]
- CWE-98 [ Improper Control of Filename for Include
- /Require Statement in PHP Program ('PHP Remote File Inclusion') ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- # Reference Link : cxsecurity.com/issue/WLB-2019030237
- ####################################################################
- # Impact :
- ***********
- * WordPress 4.8 Ait-ThemesClub TemplatePreview 1.8.1 accepts a user-controlled
- input that specifies a link to an external site, and uses that link in a Redirect.
- This simplifies phishing attacks. An http parameter may contain a URL value
- and could cause the web application to redirect the request to the specified URL.
- By modifying the URL value to a malicious site, an attacker may successfully
- launch a phishing scam and steal user credentials. Because the server name in the
- modified link is identical to the original site, phishing attempts have a more
- trustworthy appearance. Open redirect is a failure in that process that makes
- it possible for attackers to steer users to malicious websites. This vulnerability is
- used in phishing attacks to get users to visit malicious sites without realizing it.
- Web users often encounter redirection when they visit the Web site of a company
- whose name has been changed or which has been acquired by another company.
- Visiting unreal web page user's computer becomes affected by malware
- the task of which is to deceive the valid actor and steal his personal data.
- *The PHP application receives input from an upstream component, but it does not
- restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
- * In certain versions and configurations of PHP, this can allow an attacker to
- specify a URL to a remote location from which the software will obtain the code to execute.
- In other cases in association with path traversal, the attacker can specify a local file
- that may contain executable statements that can be parsed by PHP.
- ####################################################################
- # Open Redirection Exploit :
- **************************
- /template-preview.php?url=[BASE-64 Encoded URL]
- /template-preview.php?url=aHR0cHM6Ly9jeHNlY3VyaXR5LmNvbS8=
- Note : Convert any random desired redirection address into the Base64 Encoded Link.
- Example 1 => aHR0cHM6Ly9jeHNlY3VyaXR5LmNvbS8= stands for cxsecurity.com
- Example 2 => aHR0cHM6Ly93d3cuY3liZXJpem0ub3JnLw== stands for cyberizm.org
- Example 3 => aHR0cDovL2V4cGxvaXQ0YXJhYi5vcmcv stands for exploit4arab.org
- Example 4 => aHR0cHM6Ly9wYWNrZXRzdG9ybXNlY3VyaXR5LmNvbS8= stands for packetstormsecurity.com
- Useable Base64 Encoder - Decoder Links :
- base64decode.org
- base64encode.org
- ####################################################################
- # Example Vulnerable Sites :
- *************************
- [+] messagizer.com/template-preview.php?url=aHR0cHM6Ly9jeHNlY3VyaXR5LmNvbS8=
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Add Comment
Please, Sign In to add comment