Qibocms - Arbitrary File Download

By kannthu

High

Vidoc Module

#qibocms#lfr

Description

What is the "Qibocms - Arbitrary File Download?" module?

The "Qibocms - Arbitrary File Download" module is a test case designed to detect a specific vulnerability in the Qibocms software. This vulnerability allows an attacker to download arbitrary files from the server. The severity of this vulnerability is classified as high.

This module was authored by theabhinavgaur.

Impact

If successfully exploited, the Qibocms arbitrary file download vulnerability can lead to unauthorized access to sensitive files on the server. This can potentially expose confidential information, compromise the integrity of the system, and enable further attacks.

How does the module work?

The module sends an HTTP GET request to the "/do/job.php?job=download&url=ZGF0YS9jb25maWcucGg8" endpoint of the target Qibocms application. It then applies several matching conditions to determine if the vulnerability is present:

- The response body must contain the strings "If all of these conditions are met, the module reports the vulnerability.

Module preview

Concurrent Requests (1)

1. HTTP Request template

GET/do/job.php?job=down...

Matching conditions

word: <?php, $webdband

word: filename=configand

status: 200

Passive global matcher

No matching conditions.

On match action

Report vulnerability