Image of AttackDefense 2018

Mission

The attacker might not have any user level access to the web application. However, this does not mean that the application cannot be attacked remotely. Local File Inclusion vulnerabilities could be triggered even by unauthenticated users.

In the exercise below, the attacker is unauthenticated to the web application and needs to find a local file inclusion attack to access sensitive files from the server.

WordPress is a free and open source full-featured CMS for hosting blogs and web portals. It is based on PHP and MySQL. It is one of the most popular CMS.

WordPress Site Editor Plugin (1.1.1) is vulnerable to Local File Inclusion documented in CVE-2018-7422.

Objective: Your task is to find and exploit this vulnerability.

Level difficulty: Easy

Category: Webapps CVEs > Local File Inclusion

Solution

The lab started with a real copy of a default WordPress installation with one additional plugin which is vulnerable to Local File Inclusion.

Image of AttackDefense 2018

After searching on the internet for CVE-2018-7422 exploits I have discovered the following resource:

Image of AttackDefense 2018

In order to retrieve the /etc/passwd file contents, I used the following payload:

Image of AttackDefense 2018

Image of AttackDefense 2018