# Exploit Title: XCloner <= 3.1.5 Multiple Vulnerabilities # Google Dork: inurl:"plugins/xcloner-backup-and-restore/readme.txt" -site:wordpress.org # Date: 08/11/2016 # Exploit Author: Felipe Molina (@felmoltor) # Vendor Homepage: www.xcloner.com # Software Link: https://es.wordpress.org/plugins/xcloner-backup-and-restore/ # Version: 3.1.5 and lower # Tested on: Ubuntu 14 and PHP 5 # Product description: XCloner is a plugin for wordpress and Joomla! with more than 70.000 active installations to easily execute backup and restores on your CMS. Authenticated DoS or CMS destruction -------------------------------------------------------- Summary: XClonner does not check the file path is going to unlink after unlinking it. Therefore, a deletion of random files on the file system accesible by the web process is possible. A destruction of the blog can be achieved with the following PoC: 1. Authenticate to wordpress with an administrator 2. Access to XCloner to the following URL: * http://example.com/wp-admin/plugins.php?page=xcloner_show&option=xcloner&task=cron_delete&fconfig=../../../../wp-config.php 3. See how your wordpress stops working. 4. In case that the web server is running with higher privileges, a more destructive action would be possible deleting O.S. critical files. Authenticated RCE ---------------------------- Summary: XCloner does not filter the command line is being used to execute the tar of a backup. Random shell commands can be injected in this field. A file creation in the file system can be achieved with the following PoC: 1. Authenticate to wordpress with an administrator 2. Access to Plugins -> XCloner 3. Navigate to Administration -> Configuration -> General 4. In "Server Use Options" set the field "Tar path or command" with the following value: * tar -h; cp /etc/passwd ./passwd.txt ; tar -k 5. Now go to "Actions -> Generate Backup" 6. Find the file passwd.txt in the wordpress root folder 7. Navigate to http://example.com/passwd.txt to see the file /etc/passwd 8. Looking at the code, the field to specify the mysqldump command "Mysqldump path or command" is also injectable, but I have not a PoC for it. -- Felipe Molina de la Torre (@felmoltor)