关联漏洞
Description
Jasmin ransomware web panel path traversal PoC
介绍
# Jasmin ransomware web panel path traversal PoC
#EducationalPurposes <br>
https://github.com/codesiddhant/Jasmin-Ransomware <br>
I discovered a pre-auth path traversal vulnerability in the Jasmin Ransomware web panel (CVE-2024-30851), allowing an attacker to deanonymize panel operators and dump decryption keys. Jasmin ransomware was observed in a recent TeamCity (CVE-2024-27198, CVE-2024-27199) exploitation campaign (https://twitter.com/brody_n77/status/1765145148227555826)
[Screencast from 2024-04-04 18-51-07.webm](https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc/assets/146861503/82f412f0-9321-4c0b-a74d-27973ba338a6)
### Execution after redirect (CWE-698)
The affected endpoint (Jasmin-Ransomware/Web Panel/download_file.php) fails to die() after sending the Location header. This allows an attacker to bypass authentication requirements. The call to readfile is unsanitized allowing an attacker to read arbitrary files.
```php
<?php
session_start();
if(!isset($_SESSION['username']) ){
header("Location: login.php");
}
$file=$_GET['file'];
if(!empty($file)){
// Define headers
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-Disposition: attachment; filename=$file");
header("Content-Type: text/encoded");
header("Content-Transfer-Encoding: binary");
// Read the file
readfile($file);
```
There is also a bunch of SQLi, one of them is exploited to bypass the login and obtain the filenames of decryption keys
文件快照
[4.0K] /data/pocs/a761faff5eab577593794c64d3ee893641076a24
├── [2.8K] exploit.py
└── [1.5K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。