yishaadmin - Local File Inclusion

What is "yishaadmin - Local File Inclusion?"

The "yishaadmin - Local File Inclusion" module is designed to detect a vulnerability known as Local File Inclusion (LFI) in the yishaadmin software. LFI allows an attacker to include local files on the server, potentially leading to unauthorized access, information disclosure, or even remote code execution. This vulnerability has a high severity level and should be addressed immediately.

This module was authored by Evan Rubinstein.

Impact

If the "yishaadmin - Local File Inclusion" vulnerability is successfully exploited, an attacker can download, read, or delete files on the server without any authentication. This can lead to the exposure of sensitive information, compromise of user data, or even complete system compromise.

How does the module work?

The module sends an HTTP request to the "/admin/File/DownloadFile" endpoint with a specific file path parameter. It then checks for two matching conditions:

- The response contains the string "root:.*:0:0:", indicating the presence of the root user in the "/etc/passwd" file. - The response status code is 200, indicating a successful request.

If both conditions are met, the module reports a vulnerability.

Here is an example of the HTTP request sent by the module:

GET /admin/File/DownloadFile?filePath=wwwroot/..././/..././/..././/..././/..././/..././/..././/..././etc/passwd&delete=0 HTTP/1.1
Host: {%Hostname%}

Please note that the actual hostname will be substituted in place of "{%Hostname%}".

It is important to address this vulnerability promptly to prevent potential unauthorized access and data breaches.