Summary

Version 8.0.5 (Build: 20211216.13375) of ZKBio WDMS has an improper access control vulnerability, CVE-2024-22988, that enables any user to exploit this flaw in the backup system's authentication and download the database backups by guessing their file names. This post acts a complete hands-on guide to understand and exploit this vulnerability. The interesting part is that as of this writing, no coverage has been done for this vulnerability and therefore, the process of understanding the exploit from the CVE description to eventually arriving at the complete exploit is clearly captured by this post. No prior experience is required and everything is detailed as much as possible to make the content beginner friendly!

Description