bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50259.txt
Offensive Security 4f2cf56b31 DB: 2021-10-23 
11 changes to exploits/shellcodes

Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection

OpenSIS 8.0 'modname' - Directory Traversal

Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload

Budget and Expense Tracker System 1.0 - Arbitrary File Upload
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation

WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting
Jetty 9.4.37.v20210219 - Information Disclosure
Clinic Management System 1.0 - SQL injection to Remote Code Execution
Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated)

Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
2021-10-23 05:02:09 +00:00

22 lines
No EOL
1.2 KiB
Text
Raw Permalink Blame History

# Exploit Title: OpenSIS 8.0 'modname' - Directory/Path Traversal
# Date: 09-02-2021
# Exploit Author: Eric Salario
# Vendor Homepage: http://www.os4ed.com/
# Software Link: https://opensis.com/download
# Version: 8.0
# Tested on: Windows, Linux
# CVE: CVE-2021-40651
The 'modname' parameter in the 'Modules.php' is vulnerable to local file inclusion vulnerability. This vulnerability can be exploited to expose sensitive information from arbitrary files in the underlying system.
To exploit the vulnerability, someone must login as the "Parent" user, navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php. The 'modname' parameter and requests the Portal.php's contents. By going back a few directory using '..%2f' decoded as '../' it was possible to disclose arbitrary file from the server's filesystem as long as the application has access to the file.
1. Login as "Parent"
2. Open a web proxy such as BurpSuite and capture the requests
3. Navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&failed_login=
4. Check the response
PoC: https://youtu.be/wFwlbXANRCo
Reference in a new issue View git blame Copy permalink