Web Directory Free Plugin

2 weeks ago 26

BOOK THIS SPACE FOR AD

ARTICLE AD

Steps to Reproduce & Proof of Concept (POC)

1. Install and Activate the Web Directory Free plugin on your WordPress site

Web Directory Free plugin, version 1.7.2

2. Use the [webdirectory-search] shortcode provided by the plugin to create a post that displays a directory listing

Example of a directory listing page

3. Use the Repeater tab in Burp Suite to send a POST request to the endpoint:

POST /wp-admin/admin-ajax.php

Send a POST request to admin-ajax.php

4. Insert the following parameter in the request body:

action=w2dc_controller_request

w3dc controller request

Template parameter from Burp Suite’s response

5. Observe the server’s response for signs of how the action parameter is processed

6. Add a template parameter to the request body and include a dot-dot-slash (../) to test the vulnerability

action=w2dc_controller_request&template=../

Test for Local File Inclusion (LFI) using the dot-dot-slash

7. Keep appending ../ until you reach and display the contents of the /etc/passwd file

../../../../../etc/passwd

Read the etc passwd file by traversing directories

8. After confirming the vulnerability, explore sensitive files such as the SSH configuration (ssh_config) or other critical files on the server

Investigate the SSH configuration file for further exploitation

Read Entire Article