# Jasmin ransomware web panel path traversal PoC
#EducationalPurposes <br> <br>
I discovered a pre-auth path traversal vulnerability in the Jasmin Ransomware web panel (CVE-2024-30851), allowing an attacker to deanonymize panel operators and dump decryption keys.  Jasmin ransomware was observed in a recent TeamCity (CVE-2024-27198, CVE-2024-27199) exploitation campaign (

[Screencast from 2024-04-04 18-51-07.webm](

### Execution after redirect (CWE-698)
The affected endpoint (Jasmin-Ransomware/Web Panel/download_file.php) fails to die() after sending the Location header.   This allows an attacker to bypass authentication requirements.  The call to readfile is unsanitized allowing an attacker to read arbitrary files.
if(!isset($_SESSION['username']) ){
	header("Location: login.php");
    // Define headers
    header("Cache-Control: public");
    header("Content-Description: File Transfer");
    header("Content-Disposition: attachment; filename=$file");
    header("Content-Type: text/encoded");
    header("Content-Transfer-Encoding: binary");
    // Read the file

There is also a bunch of SQLi, one of them is exploited to bypass the login and obtain the filenames of decryption keys