A penetration tester’s guide for Nextcloud exploit and penetration testing

the free Nextcloud clients for Android, iOS and desktop systems allow you to sync and share files, in a fully secure way through an encrypted connection. The mobile clients feature automatic upload of pictures and videos you take and can synchronize select files and folders.

https://target/status.php

https://target/ocs-provider/

nuclei -u target -t nextcloud-detect.yaml

https://target/public.php/webdav
https://target/remote.php/dav/files/USERNAME/

nuclei -u target -t nextcloud-install.yaml

disable the web-based upgrader simply set 'upgrade.disable-web' => true, in nextcloud’s config.php with this result:

https://target/updater/

1. Code injection possible with malformed Nextcloud Talk chat commands to Nextcloud - 314 upvotes, $3000
2. User can delete data in shared folders he's not autorized to access to Nextcloud - 165 upvotes, $250
3. Access to all files of remote user through shared file to Nextcloud - 149 upvotes, $750
4. Attacker can obtain write access to any federated share/public link to Nextcloud - 135 upvotes, $4000
5. Missing ownership check on remote wipe endpoint to Nextcloud - 127 upvotes, $500
6. Remote Code Execution via Extract App Plugin to Nextcloud - 121 upvotes, $0
7. Re-Sharing allows increase of privileges to Nextcloud - 90 upvotes, $750
8. No rate limiting for confirmation email lead to huge Mass mailings to Nextcloud - 78 upvotes, $0
9. User deletion is not handled properly everywhere to Nextcloud - 75 upvotes, $1000
10. Arbitrary SQL command injection to Nextcloud - 73 upvotes, $500
11. Nextcloud Desktop Client RCE via malicious URI schemes to Nextcloud - 72 upvotes, $1000
12. File-drop content is visible through the gallery app to Nextcloud - 68 upvotes, $500
13. Arbitrary code execution in desktop client via OpenSSL config to Nextcloud - 59 upvotes, $100
14. Extremly simple way to bypass Nextcloud-Client PIN/Fingerprint lock to Nextcloud - 56 upvotes, $100
15. Default Nextcloud Server and Android Client leak sharee searches to Nextcloud to Nextcloud - 53 upvotes, $750
16. Clear text storage of proxy parameters and passwords to Nextcloud - 53 upvotes, $250
17. Stored XSS in collabora via user name to Nextcloud - 48 upvotes, $0
18. Two-factor authentication enforcement bypass to Nextcloud - 46 upvotes, $750
19. SSL certificate not validated when registering with a provider to Nextcloud - 42 upvotes, $300
20. Memory Leak in OCUtil.dll library in Desktop client can lead to DoS to Nextcloud - 40 upvotes, $100
21. [Reflected XSS] In Request URL to Nextcloud - 37 upvotes, $50
22. Remote code execution via path traversal in Zip extraction in the Extract app to Nextcloud - 37 upvotes, $0
23. http://www.nextcloud.com/wp-includes/js/swfupload/swfupload.swf allows open redirect / site defacement to Nextcloud - 37 upvotes, $0
24. Scoped apptokens can be changed by that very apptoken to Nextcloud - 36 upvotes, $1000
25. Expired reshare links allow access to all files in share to Nextcloud - 36 upvotes, $400
26. No session logout after changing password & alsoandroid sessions not shown in sessions list so they can be deleted to Nextcloud - 35 upvotes, $50
27. Cross site scripting - XSRF Token to Nextcloud - 32 upvotes, $0
28. 2FA Session not expires after the password reset to Nextcloud - 31 upvotes, $50
29. SQL Injection found in NextCloud Android App Content Provider to Nextcloud - 30 upvotes, $150
30. Group admins can remove arbitrary data from "data" directory (including admin data) to Nextcloud - 30 upvotes, $150
31. Passwords being stored as plain text in logging to Nextcloud - 30 upvotes, $0
32. I am because bug to Nextcloud - 29 upvotes, $0
33. Reflected XSS in error pages (NC-SA-2017-008) to Nextcloud - 28 upvotes, $450
34. Code injection in macOS Desktop Client to Nextcloud - 28 upvotes, $250
35. Database error shown to the user when using a long guest name in richdocuments to Nextcloud - 28 upvotes, $0
36. CSRF vulnerability that allows an attacker to modify encryption settings to Nextcloud - 27 upvotes, $0
37. Persistent XSS via filename in projects to Nextcloud - 23 upvotes, $150
38. Blind Stored XSS on iOS App due to Unsanitized Webview to Nextcloud - 23 upvotes, $100
39. Leak arbitrary file under nextcloud android client privacy directory to Nextcloud - 23 upvotes, $100
40. Bypass of privacy filter / tracking pixel blocker to Nextcloud - 23 upvotes, $100

• nextcloud docs
• disable the web-based upgrader