This exploit demonstrates a Local File Include (LFI) vulnerability in PHP-Nuke by manipulating the 'name' and 'file' parameters in the modules.php URL. The attacker can include arbitrary files from the server, potentially leading to remote code execution if combined with log poisoning or other techniques.
Classification
Working Poc 90%
Target:
PHP-Nuke (latest version at time of disclosure)
No auth needed
Prerequisites:
Access to a vulnerable PHP-Nuke installation · Knowledge of server file paths for inclusion