Invia #209767: JNDI injection tool JNDIExploit has an arbitrary file reading vulnerabilityinformazioni

TitoloJNDI injection tool JNDIExploit has an arbitrary file reading vulnerability
DescrizioneJNDIExploit is a widely used vulnerability exploitation tool, and many other tools also use or are based on JNDIExploit. The http server will be started by default,The corresponding code for the tool http server is located in the project."src/main/java/com/feihong/ldap/HTTPServer.java" When the suffix name does not belong to any of the if else, it will enter handleFileRequest. vulnerability code: private static void handleFileRequest(HttpExchange exchange) throws Exception { String path = exchange.getRequestURI().getPath(); String filename = cwd + File.separator + "data" + File.separator +path.substring(path.lastIndexOf("/") + 1); File file = new File(filename); if (file.exists()){ byte[] bytes = new byte[(int) file.length()]; FileInputStream fileInputStream = new FileInputStream(file); fileInputStream.read(bytes); exchange.sendResponseHeaders(200, file.length() + 1); exchange.getResponseBody().write(bytes); }else { System.out.println("[!] Response Code: " + 404); exchange.sendResponseHeaders(404, 0); } exchange.close(); } It will get the last / and splice it with the current pwd, but in the Windows system, the path is represented by , so running the tool on Windows will cause the corresponding arbitrary file to be read. Here I use python to attack You can see that the file contents are returned. And I do have this file in my d drive
Fonte⚠️ https://github.com/WhiteHSBG/JNDIExploit/issues/10
Utente
 kaikaix (UID 30740)
Sottomissione17/09/2023 07:29 (3 anni fa)
Moderazione29/09/2023 07:05 (12 days later)
StatoAccettato
Voce VulDB240866 [WhiteHSBG JNDIExploit 1.4 su Windows HTTPServer.java handleFileRequest directory traversal]
Punti20

Do you want to use VulDB in your project?

Use the official API to access entries easily!