BUG_Author: xuanSAMA
Affected Version: MoneyPrinterTurbo ≤ 1.2.6
Vendor: MoneyPrinterTurbo GitHub Repository
Software: MoneyPrinterTurbo
Vulnerability Files:
app/controllers/v1/video.pyPath Traversal Vulnerability:
app/controllers/v1/video.py, both the download_video and stream_video functions receive a file_path from the URL. This user-provided input is not properly sanitized before being used to construct a file path on the server.Exploiting the Vulnerability:
file_path variable with "dot-dot-slash (../)" sequences or by providing an absolute file path, an attacker can access arbitrary files and directories stored outside the intended web root folder. This could include sensitive data such as application source code, configuration files, and critical system files like /etc/passwd.Example Path Traversal Payload:
The following payload can be used to read the /etc/passwd file from the server:
//etc/passwd
Requesting the Vulnerable Endpoints:
Download Endpoint:
http://<target-ip>:<port>/api/v1/download//etc/passwd
Stream Endpoint:
http://<target-ip>:<port>/api/v1/stream//etc/passwd
Verifying the Exploit:
/etc/passwd). Depending on the endpoint used, the user's browser will either prompt to download the file or attempt to stream its content. This confirms that an attacker can read arbitrary files from the filesystem.Ensure the vulnerable version of the MoneyPrinterTurbo application is running.
Open a web browser or use a command-line tool like curl to make requests to the vulnerable endpoints.
Use the following URLs, replacing <target-ip>:<port> with the actual address of the application:
To test the download endpoint:
http://<target-ip>:<port>/api/v1/download//etc/passwd
To test the stream endpoint:
http://<target-ip>:<port>/api/v1/stream//etc/passwd
If the vulnerability is present, the application will serve or stream the /etc/passwd file, confirming the path traversal flaw.