How to use EXPLOIT: Remote LFI for Direct Download for WooCommerce up to v1.15
Hello, today, we’re learning how to use exploit: Remote LFI for Direct Download for WooCommerce, this exploit explote a vulnerability in the plugin Direct Download for WooCommerce by Kamalyon, this vulnerability allow us to download any file in the server where this plugin is running. You’ve got this exploit for free download here.
Now, to use this exploit, you can execute it via BrutiFramework, or typing directly:
Now we’ve got some options to execute this exploit, first, we can introduce the domain to check if some web has installed this plugin:
We can see www.google.com is not vulnerable to this exploit, how ever, my own domain has installed this plugin but i’ve got alrready partched to this plugin, so, my domain is not vulnerable.
Now, we’ve got some options to use this exploit, we can put an direct download link from the vulnerable web, or, web can search for a correct product id in the server (this progress may take a long time, so, i recomend start for a minimun product ID = 400).
First, we’ll test to use this exploit setting a valid direct download URL:
Now, we press Enter and automatically, the exploit will get the correct product id from the url to start to work with that product id.
Right now, we can download the wp-config.php, /etc/passwd, or whatever you want to download,
Now, we can test searching for a valid product id, only if we haven’t got any product id or direct download link, we start the exploit and press «0» to skip the checking steep, we press 0 to say, i don’t have any direct download link, and set the domain to attack, in this case, diegoceldran.es, I remember my website is not vulnerable to this exploit, however we can check for a valid product ID.
Now, we press «1» to search for a valid product id, and we have to set a minimun id and a maximun id to search, we can set 0 in the minimun id to start from 1, and we can set 0 in the maximun value to no set a maximun id to search, we’ll have to stop the progress manually if not find any valid product id.
For the minimun product id, I recomend start from 400.
We only have to wait for a time until the exploit find a valid id, we can see that a valid product id was found with id 402.
Now we could download any file in the server.
To get this exploit download it from here.