Path: blob/master/documentation/modules/auxiliary/gather/camaleon_download_private_file.md
59981 views
Vulnerable Application
This module attempts to read files from an authenticated directory traversal vuln in Camaleon CMS versions <= 2.8.0 and version 2.9.0.
CVE-2024-46987 mistakenly indicates that versions 2.8.1 and 2.8.2 are also vulnerable, however this is not the case.
Setup
See Camaleon CMS documentation.
The following describes how to setup Camaleon CMS version 2.8.0 on Ubuntu.
Requirements
Rails 6.1+
PostgreSQL, MySQL 5+ or SQlite
Ruby 3.0+
Imagemagick
Install Ruby
guides.rubyonrails.org/install_ruby_on_rails.html
Install Mise
Install Ruby with Mise
Install Imagemagick
Install Postgresql
Install Rails
concurrent-ruby Issue
Downgrade concurrent-ruby to 1.3.4
Create Rails Project
Run rails new camaleon_project
Gemfile
In your Gemfile do the following:
Replace gem 'spring' with gem 'spring', '4.2.1'
Delete this line to prevent conflict: gem 'sass-rails', '>= 6'
Put these lines at the bottom of your Gemfile:
Install Bundle
From the project directory run bundle install
Webpacker.yml Issue
Camaleon CMS Installation
Run Rails
Navigate to http://{ip address}:3000 and enter test under the Name field.
Setup Server
When prompted with the new installation page just enter "test" into the Name field and continue.
Create Unprivileged User (Optional)
Navigate to http://{ip address}:3000/admin - login with the default admin credentials "admin:admin123"
Then navigate to "Users -> + Add User" and fill out the form.
Verification Steps
Do:
use auxiliary/gather/camaleon_download_private_fileDo:
set RHOST [IP]Do:
run
Options
FILEPATH
The filepath of the file to read.
DEPTH
The number of "../" appended to the filename. Default is 13