DuckieTV CMS version 1.1.5 suffers from a local file inclusion vulnerability.
0f7c3ac190d24812bb19d4a0af0f7e8a
___________________________________________________
|
| Exploit Title: DuckieTV CMS Local File Inclusion
| Exploit Author: Ashiyane Digital security Team
| Vendor Homepage: http://schizoduckie.github.io/DuckieTV/
| Software Link:
https://github.com/SchizoDuckie/DuckieTV/archive/angular.zip
| Version: DuckieTV 1.1.5
| Date: 2017-10-14
| Category: webapps
| Tested on: Kali-Linux /FireFox
| CVE : CVE-2016-4314
|__________________________________________________
Vulnerable File :
$cache = strtolower(preg_replace('/[^a-zA-Z0-9]/', '',
$_GET['url'])).'.json';
// if there's a cached version of this request in fixtures, serve it.
if(file_exists(dirname(__FILE__).'/fixtures/'.$cache)) {
$out =
json_decode(file_get_contents(dirname(__FILE__).'/fixtures/'.$cache),true);
$out['headers']['Content-Length'] = strlen($out['content']);
unset($out['headers']['Transfer-Encoding']);
unset($out['headers']['Cookie']);
foreach($out['headers'] as $key=>$val) {
header("{$key}: {$val}");
}
header('Proxy-Cache-hit: '.$cache);
die($out['content']);
} else {
header('Proxy-Cache-miss: '.$cache);
}
Proof of Concept :
http://127.0.0.1/7/DuckieTV-angular/tests/proxy.php?url=[LFI]
__________________________________________________
Discovered By : M.R.S.L.Y
__________________________________________________