| tiêu đề | Boss Mini v1.4.0 - LFI |
|---|
| Mô tả | Vulnerability: Local File Inclusion (LFI)
Regarding this flaw, the attacker could read any file from the server where the application is located. And also in some situations it can escalate to a Remote Code Execution (RCE) fault.
Vulnerability Detail:
URI: boss/servlet/document
Parameter: path
Need authentication: no
Version: 1.4.0
Build: 6221
POC: https://drive.google.com/file/d/1RXmDUAjqZvWSvHUrfRerz7My6M3KX7YG/view
Explaining the POC video:
$ python3 poc_lfi_miniboss.py /proc/sys/kernel/osrelease -> The script simulates a POST request asking to read the file /proc/sys/kernel/osrelease;
The test was carried out in the Boss Mini application, in version 1.4.0 and Build 6221;
URI -> The URI that was used to read the file;
Parameter -> path is the parameter that gives the possibility to obtain the return of the file reading;
Content -> It is the result of the file reading request; |
|---|
| Người dùng | nltt0 (UID 49917) |
|---|
| Đệ trình | 03/07/2023 19:04 (cách đây 3 những năm) |
|---|
| Kiểm duyệt | 12/07/2023 18:15 (9 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 233889 [Boss Mini 1.4.0 Build 6221 boss/servlet/document path nâng cao đặc quyền] |
|---|
| điểm | 17 |
|---|