Home How i found my first 0day
Post
Cancel

How i found my first 0day

Title : All-in-One Video Gallery plugin <= 2.4.9 - Local File Inclusion (LFI) vulnerability
Author: m19o
Software : Wordpress 5.8.2
CVE : CVE-2021-24970
Poc : https://example/wordpress/wp-admin/admin.php?page=all-in-one-video-gallery&tab=../../../../../poc

Static analysis

At the beganinng i started to analyze the code to understand how the code works

while analyzing the dashboard.php file i saw that the developer using require_once at the end of the file, as you can see {$active_tab} gets his value from TAB and TAB value is provided by the user

1123

Let's EXPLOIT

Exploitation

I wrote a php code to echo "Proof Of Concept" and i saved it at wordpress root directory

poc1

22

You can execute any file with php extension because .php is added to any value you provide

Test case

Now i will use the LFI to get reverse Shell

shell

**Here we go, I received the connection using Netcat as a listener**

REVERSE-SHELL

This post is licensed under CC BY 4.0 by the author.