Online News Portal Local File Inclusion

Online News Portal versions released prior to November 16, 2020 have been identified as being susceptible to a local file inclusion vulnerability.

MD5 | 150d4a01deee247d05bff4f6b2ff5485

# Exploit Title: Online News Portal  - Local File Inclusion
# Date: 2020-11-16
# Exploit Author: gh1mau
# Email: [email protected]
# Team Members: Capt'N, muzzo, chaos689 |
# Vendor Homepage:
# Software Link:
# Software Release Data: November 16, 2020
# Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64)

Vulnerable File:

Vulnerable Code:
Entry point:
line 26: $page = isset($_GET['page']) ? $_GET['page'] : 'home';

Exit point:
line 27: include $page.'.php';

Vulnerable Issue:
Attacker could load and read any file from the application (page= parameter from index.php) (with .php extension) and decode the base64 response to read the source code.


Related Posts