How to use EXPLOIT: Remote LFI for Direct Download for WooCommerce up to v1.15

How to use EXPLOIT: Remote LFI for Direct Download for WooCommerce up to v1.15

Hello, today, we’re learning how to use exploit: Remote LFI for Direct Download for WooCommerce, this exploit explote a vulnerability in the plugin Direct Download for WooCommerce by Kamalyon, this vulnerability allow us to download any file in the server where this plugin is running. You’ve got this exploit for free download here.

Now, to use this exploit, you can execute it via BrutiFramework, or typing directly:

python lfi_attack_for_direct_download_woocommerce.py

Now we’ve got some options to execute this exploit, first, we can introduce the domain to check if some web has installed this plugin:

Google is not vulnerable to this exploit - How to use EXPLOIT: Remote LFI for Direct Download for WooCommerce up to v1.15

Google is not vulnerable to this exploit – How to use EXPLOIT: Remote LFI for Direct Download for WooCommerce up to v1.15

We can see www.google.com is not vulnerable to this exploit, how ever, my own domain has installed this plugin but i’ve got alrready partched to this plugin, so, my domain is not vulnerable.

My domain is maybe vulnerable to this exploit  - How to use EXPLOIT: Remote LFI for Direct Download for WooCommerce up to v1.15

Now, we’ve got some options to use this exploit, we can put an direct download link from the vulnerable web, or, web can search for a correct product id in the server (this progress may take a long time, so, i recomend start for a minimun product ID = 400).

First, we’ll test to use this exploit setting a valid direct download URL:

setting a direct download link

setting a direct download link – How to use EXPLOIT: Remote LFI for Direct Download for WooCommerce up to v1.15

Now, we press Enter and automatically, the exploit will get the correct product id from the url to start to work with that product id.

downloading the wp-config file

downloading the wp-config file – How to use EXPLOIT: Remote LFI for Direct Download for WooCommerce up to v1.15

Right now, we can download the wp-config.php, /etc/passwd, or whatever you want to download,

Now, we can test searching for a valid product id, only if we haven’t got any product id or direct download link, we start the exploit and press “0” to skip the checking steep, we press 0 to say, i don’t have any direct download link, and set the domain to attack, in this case, diegoceldran.es, I remember my website is not vulnerable to this exploit, however we can check for a valid product ID.

settings to search for a valir download link

settings to search for a valir download link – How to use EXPLOIT: Remote LFI for Direct Download for WooCommerce up to v1.15

Now, we press “1” to search for a valid product id, and we have to set a minimun id and a maximun id to search, we can set 0 in the minimun id to start from 1, and we can set 0 in the maximun value to no set a maximun id to search, we’ll have to stop the progress manually if not find any valid product id.

For the minimun product id, I recomend start from 400.

searching for a valid product id

searching for a valid product id – How to use EXPLOIT: Remote LFI for Direct Download for WooCommerce up to v1.15

We only have to wait for a time until the exploit find a valid id, we can see that a valid product id was found with id 402.

a valid product id was found

a valid product id was found – How to use EXPLOIT: Remote LFI for Direct Download for WooCommerce up to v1.15

Now we could download any file in the server.

IMPORTANT:

To get this exploit download it from here.

2 comentarios

  1. Pingback: WordPress Plugins Vulnerability Roundup | January 2017

  2. Pingback: Direct Download for WooCommerce <= 1.15 – Unauthenticated LFI – Bodh Of Cyber

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *