Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Surreal ToDo - Local File Inclusion

By kannthu

Vidoc logoVidoc Module

What is the "Surreal ToDo - Local File Inclusion?"

The "Surreal ToDo - Local File Inclusion" module is designed to detect a vulnerability in the Surreal ToDo software. This vulnerability allows for local file inclusion through the index.php file and the content parameter. The severity of this vulnerability is classified as high, with a CVSS score of 7.5.

This module was authored by arafatansari.


A successful exploitation of this vulnerability can lead to unauthorized access to sensitive files on the server. In this case, it allows an attacker to retrieve the contents of the "/etc/passwd" file, which contains user account information.

How the module works?

The module sends an HTTP GET request to the target server with a specific path parameter. In this case, the path parameter is set to "/index.php?content=../../../../../../../../etc/passwd". The module then applies two matching conditions to determine if the vulnerability is present.

The first matching condition uses a regular expression to search for the string "root:[x*]:0:0" in the response. If this string is found, it indicates that the "/etc/passwd" file has been successfully retrieved.

The second matching condition checks the HTTP response status code. If the status code is 200, it confirms that the request was successful.

By combining these matching conditions, the module can accurately detect the presence of the local file inclusion vulnerability in the Surreal ToDo software.

For more information, you can refer to the reference.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Matching conditions
regex: root:[x*]:0:0and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability