# Exploit Title: XCloner <= 3.1.5 Multiple Vulnerabilities
# Google Dork: inurl:"plugins/xcloner-backup-and-restore/readme.txt" -site:wordpress.org
# Date: 08/11/2016
# Exploit Author: Felipe Molina (@felmoltor)
# Vendor Homepage: www.xcloner.com
# Software Link: https://es.wordpress.org/plugins/xcloner-backup-and-restore/
# Version: 3.1.5 and lower
# Tested on: Ubuntu 14 and PHP 5
# Product description: XCloner is a plugin for wordpress and Joomla! with more than 70.000 active installations to easily execute backup and restores on your CMS.
 
Authenticated DoS or CMS destruction
--------------------------------------------------------
Summary: XClonner does not check the file path is going to unlink
after unlinking it. Therefore, a deletion of random files on the file
system accesible by the web process is possible. A destruction of the
blog can be achieved with the following PoC:
 
1. Authenticate to wordpress with an administrator
2. Access to XCloner to the following URL:
* http://example.com/wp-admin/plugins.php?page=xcloner_show&option=xcloner&task=cron_delete&fconfig=../../../../wp-config.php
3. See how your wordpress stops working.
4. In case that the web server is running with higher privileges, a more destructive action would be possible deleting O.S. critical files.
 
Authenticated RCE
----------------------------
Summary:
XCloner does not filter the command line is being used to execute the
tar of a backup.
Random shell commands can be injected in this field.
A file creation in the file system can be achieved with the following PoC:
 
1. Authenticate to wordpress with an administrator
2. Access to Plugins -> XCloner
3. Navigate to Administration -> Configuration -> General
4. In "Server Use Options" set the field "Tar path or command" with
the following value:
* tar -h; cp /etc/passwd ./passwd.txt ; tar -k
5. Now go to "Actions -> Generate Backup"
6. Find the file passwd.txt in the wordpress root folder
7. Navigate to http://example.com/passwd.txt to see the file /etc/passwd
8. Looking at the code, the field to specify the mysqldump command
"Mysqldump path or command" is also injectable, but I have not a PoC
for it.
 
-- 
 
Felipe Molina de la Torre (@felmoltor)