Nextcloud penetration testing

August 30, 2022 · View on GitHub



Nextcloud penetration testing

A penetration tester’s guide for Nextcloud exploit and penetration testing

What is Nextcloud used for?

the free Nextcloud clients for Android, iOS and desktop systems allow you to sync and share files, in a fully secure way through an encrypted connection. The mobile clients feature automatic upload of pictures and videos you take and can synchronize select files and folders.

1.Recon

find version

https://target/status.php

find api

https://target/ocs-provider/

Nextcloud Detection

nuclei -u target -t nextcloud-detect.yaml

2.Exploit

brureforce api

https://target/public.php/webdav
https://target/remote.php/dav/files/USERNAME/

Nextcloud Exposed Installation

nuclei -u target -t nextcloud-install.yaml

3. Recommend

disable the web-based upgrader simply set 'upgrade.disable-web' => true, in nextcloud’s config.php with this result:

https://target/updater/

4. Reports

Nextcloud program at HackerOne

  1. Code injection possible with malformed Nextcloud Talk chat commands to Nextcloud - 314 upvotes, $3000
  2. User can delete data in shared folders he's not autorized to access to Nextcloud - 165 upvotes, $250
  3. Access to all files of remote user through shared file to Nextcloud - 149 upvotes, $750
  4. Attacker can obtain write access to any federated share/public link to Nextcloud - 135 upvotes, $4000
  5. Missing ownership check on remote wipe endpoint to Nextcloud - 127 upvotes, $500
  6. Remote Code Execution via Extract App Plugin to Nextcloud - 121 upvotes, $0
  7. Re-Sharing allows increase of privileges to Nextcloud - 90 upvotes, $750
  8. No rate limiting for confirmation email lead to huge Mass mailings to Nextcloud - 78 upvotes, $0
  9. User deletion is not handled properly everywhere to Nextcloud - 75 upvotes, $1000
  10. Arbitrary SQL command injection to Nextcloud - 73 upvotes, $500
  11. Nextcloud Desktop Client RCE via malicious URI schemes to Nextcloud - 72 upvotes, $1000
  12. File-drop content is visible through the gallery app to Nextcloud - 68 upvotes, $500
  13. Arbitrary code execution in desktop client via OpenSSL config to Nextcloud - 59 upvotes, $100
  14. Extremly simple way to bypass Nextcloud-Client PIN/Fingerprint lock to Nextcloud - 56 upvotes, $100
  15. Default Nextcloud Server and Android Client leak sharee searches to Nextcloud to Nextcloud - 53 upvotes, $750
  16. Clear text storage of proxy parameters and passwords to Nextcloud - 53 upvotes, $250
  17. Stored XSS in collabora via user name to Nextcloud - 48 upvotes, $0
  18. Two-factor authentication enforcement bypass to Nextcloud - 46 upvotes, $750
  19. SSL certificate not validated when registering with a provider to Nextcloud - 42 upvotes, $300
  20. Memory Leak in OCUtil.dll library in Desktop client can lead to DoS to Nextcloud - 40 upvotes, $100
  21. [Reflected XSS] In Request URL to Nextcloud - 37 upvotes, $50
  22. Remote code execution via path traversal in Zip extraction in the Extract app to Nextcloud - 37 upvotes, $0
  23. http://www.nextcloud.com/wp-includes/js/swfupload/swfupload.swf allows open redirect / site defacement to Nextcloud - 37 upvotes, $0
  24. Scoped apptokens can be changed by that very apptoken to Nextcloud - 36 upvotes, $1000
  25. Expired reshare links allow access to all files in share to Nextcloud - 36 upvotes, $400
  26. No session logout after changing password & alsoandroid sessions not shown in sessions list so they can be deleted to Nextcloud - 35 upvotes, $50
  27. Cross site scripting - XSRF Token to Nextcloud - 32 upvotes, $0
  28. 2FA Session not expires after the password reset to Nextcloud - 31 upvotes, $50
  29. SQL Injection found in NextCloud Android App Content Provider to Nextcloud - 30 upvotes, $150
  30. Group admins can remove arbitrary data from "data" directory (including admin data) to Nextcloud - 30 upvotes, $150
  31. Passwords being stored as plain text in logging to Nextcloud - 30 upvotes, $0
  32. I am because bug to Nextcloud - 29 upvotes, $0
  33. Reflected XSS in error pages (NC-SA-2017-008) to Nextcloud - 28 upvotes, $450
  34. Code injection in macOS Desktop Client to Nextcloud - 28 upvotes, $250
  35. Database error shown to the user when using a long guest name in richdocuments to Nextcloud - 28 upvotes, $0
  36. CSRF vulnerability that allows an attacker to modify encryption settings to Nextcloud - 27 upvotes, $0
  37. Persistent XSS via filename in projects to Nextcloud - 23 upvotes, $150
  38. Blind Stored XSS on iOS App due to Unsanitized Webview to Nextcloud - 23 upvotes, $100
  39. Leak arbitrary file under nextcloud android client privacy directory to Nextcloud - 23 upvotes, $100
  40. Bypass of privacy filter / tracking pixel blocker to Nextcloud - 23 upvotes, $100

refrencess