bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/39883.txt
Offensive Security 62962d90b0 DB: 2016-06-07 
16 new exploits

Linux Kernel < 2.6.34 (Ubuntu 11.10 x86 & x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2)
Linux Kernel < 2.6.34 (Ubuntu 11.10 x86/x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2)

Linux Kernel  2.4.4 <= 2.4.37.4 / 2.6.0 <= 2.6.30.4 - Sendpage Local Privilege Escalation (Metasploit)
Linux Kernel 2.4.4 <= 2.4.37.4 / 2.6.0 <= 2.6.30.4 - Sendpage Local Privilege Escalation (Metasploit)

Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings
Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root

WordPress Simple Backup Plugin 2.7.11 - Multiple Vulnerabilities
Dream Gallery 1.0 - CSRF Add Admin Exploit
Apache Continuum 1.4.2 - Multiple Vulnerabilities
Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 - ShellShock Exploit
Valve Steam 3.42.16.13 - Local Privilege Escalation
ArticleSetup 1.00 - CSRF Change Admin Password
Electroweb Online Examination System 1.0 - SQL Injection
WordPress WP Mobile Detector Plugin 3.5 - Arbitrary File Upload
WordPress Creative Multi-Purpose Theme 9.1.3 - Stored XSS
WordPress WP PRO Advertising System Plugin 4.6.18 - SQL Injection
WordPress Newspaper Theme 6.7.1 - Privilege Escalation
WordPress Uncode Theme 1.3.1 - Arbitrary File Upload
WordPress Double Opt-In for Download Plugin 2.0.9 - SQL Injection
Notilus Travel Solution Software 2012 R3 - SQL Injection
rConfig 3.1.1 - Local File Inclusion
Nagios XI 5.2.7 - Multiple Vulnerabilities
2016-06-07 05:07:41 +00:00

90 lines
4 KiB
Text
Executable file
Raw Blame History

####################
# Meta information #
####################
# Exploit Title: Wordpress plugin simple-backup - Multiple vulnerabilities
# Date: 2016-06-02
# Exploit Author: PizzaHatHacker [A] gmail [.] com
# Vendor Homepage: [DEAD LINK] https://wordpress.org/plugins/simple-backup/
# Software Link: [DEAD LINK] https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip
# Version: 2.7.11
# Tested on: simple-backup 2.7.11 & Wordpress 4.4.2
#
# History :
# 2016-02-21 Contact requested on the vendor website via "Contact Us"
# 2016-02-24 Contact requested on the vendor website via "Support"
# 2016-03-09 Email to plugins@wordpress.org
# 2016-03-10 Acknowledged by Wordpress team
# 2016-06-02 No information, no response, vulnerabilities not fixed,
# disclosure of this document.
#
##################################
### 1. Arbitrary File Deletion ###
##################################
It is possible to remotely delete arbitrary files on the webserver on wordpress
blogs that have simple-backup plugin installed and enabled. No authentication
is required, the default configuration of simple-backup is affected.
Example 1 : Delete "pizza.txt" in wordpress root :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&delete_backup_file=../pizza.txt
Example 2 : Delete .htaccess file protecting the backup folder :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&delete_backup_file=.htaccess&download_backup_file=inexisting
Note : When 'download_backup_file' parameter is provided with an invalid
filepath, the PHP script exits prematurely with message "Access Denied!" and so
does not regenerate automaticaly the .htaccess file.
After this request, it may be possible (depending on the web server
configuration) to browse the backup directory and download server backup files
at this URL :
http://127.0.0.1/<WP-path>/simple-backup/
The backup archive files may contain all the wordpress files : configuration
files (wp-config.php etc.), PHP source code (plugins, etc.), and a database
dump (all tables content, wordpress users passwords etc.).
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Base Score : 7.5
Impact Subscore : 6.4
Exploitability Subscore : 10
########################
### 2. File Download ###
########################
It is possible to download remote files from the webserver on wordpress blogs
that have simple-backup plugin installed and enabled. No authentication is
required, the default configuration of simple-backup is affected.
Example 1 : Download tools.php source file :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=
Example 2 : Download a backup file :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar
(If backups are performed automatically at predefined times, it is easy to
find the backup file name, as it is based on the current time).
Moreover, the checks performed on user-provided 'filename' parameter are
insufficient :
simple-backup-manager.php:function download_local_backup_file($filename){
$filename = ltrim($filename, ".\/");
* Only logged-in AND authorized users (with permissions to manage backups)
should be allowed to download files
* The file name should match a backup file and must not be empty
* The input is not correctly checked for directory traversal (use PHP
'basename' instead of 'ltrim')
For example in the special case where a folder 'oldBackups' is created inside
the backup directory, it would be possible to download ANY file on the web
server via direct requests to this kind of URLs :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../wp-config.php
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../../../../../etc/passwd
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Base Score : 5
Impact Subscore : 2.9
Exploitability Subscore : 10
Reference in a new issue View git blame Copy permalink