Friday, August 12, 2016

Wordpress File Path Traversal Examples

I pasted several similar Wordpress exploit attempts from some web logs. They generally match WAF or IDS rules of file traversal. They look like this...

GET/wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../../wp-config.php
GET/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php
GET/wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php?file_path=../../../../wp-config.php&file_size=10
GET/wp-content/themes/mtheme-unus/css/css.php?files=../../../../wp-config.php


These exploits take advantage of insecure wordpress plugins. Each of them have a query string parameter that would allow you to download a file. Theoretically the plugin was only supposed to allow you to download files from the current plugin directory, like music, audio, etc. that was allowed. But in this case the query string parameter wasn't properly properly the path passed in and it allowed for path traversal (../../) to go up and down the file system hierarchy. In this case the attacker is then attempting to get to the wp-config.php file which can contain your security keys , database user and password, etc. so some valuable data!

To prevent this, either patch your plugins when vulns like this come out ... or disable/remove unused plugins.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

3 comments: