- Joined
- 11 yrs. 6 mth. 27 days
- Messages
- 5,381
- Reaction score
- 18,380
- Age
- 45
- Wallet
- 11,590$
- [email protected]
Local File Download
members!There are many web applications vulnerable to local file download due to scripts meant to be for downloading specific files, such as PDFs. I will give you a brief explanation about the origin of the vulnerability and how it is exploited. Hope you like it The Vulnerability:The vulnerability allows an attacker to download any file he has read priveleges for on the local server. This is due to the attacker being in control of the parameter specifying the name of the file which is downloaded by the force download script. A basic example of a PHP script is:<?php$file = $_GET['file'];if (file_exists($file)) {header('Content-Description: File Transfer');header('Content-Type: application/octet-stream');header('Content-Disposition: attachment; filename='.basename($file));header('Content-Transfer-Encoding: binary');header('Expires: 0');header('Cache-Control: must-revalidate');header('Pragma: public');header('Content-Length: ' . filesize($file));ob_clean();flush();readfile($file);exit;}?>Exploitation:We just have to specify the value of the 'file' parameter in this example.For example, if we want the passwd file:The downloaded file contains the original contents of the passwd file.If we try the same with the shadow file (which is only readable by root user):These are the contents of the file downloaded:Bypassing Some Filters:Many scripts add a file extension to the file name provided by the user in order to try to specify the type of the files to be downloaded. Most of the times, when null byte is enabled on the server, the filter could be bypassed simply by just injecting a null byte at the end of the file name.Example of these filters:$file = $_GET['file'] . ".pdf" ;How to bypass it to download the passwd file:example.com/download.php?=../../../../../../../etc/passwd%00Regards,Neo
members!There are many web applications vulnerable to local file download due to scripts meant to be for downloading specific files, such as PDFs. I will give you a brief explanation about the origin of the vulnerability and how it is exploited. Hope you like it The Vulnerability:The vulnerability allows an attacker to download any file he has read priveleges for on the local server. This is due to the attacker being in control of the parameter specifying the name of the file which is downloaded by the force download script. A basic example of a PHP script is:<?php$file = $_GET['file'];if (file_exists($file)) {header('Content-Description: File Transfer');header('Content-Type: application/octet-stream');header('Content-Disposition: attachment; filename='.basename($file));header('Content-Transfer-Encoding: binary');header('Expires: 0');header('Cache-Control: must-revalidate');header('Pragma: public');header('Content-Length: ' . filesize($file));ob_clean();flush();readfile($file);exit;}?>Exploitation:We just have to specify the value of the 'file' parameter in this example.For example, if we want the passwd file:The downloaded file contains the original contents of the passwd file.If we try the same with the shadow file (which is only readable by root user):These are the contents of the file downloaded:Bypassing Some Filters:Many scripts add a file extension to the file name provided by the user in order to try to specify the type of the files to be downloaded. Most of the times, when null byte is enabled on the server, the filter could be bypassed simply by just injecting a null byte at the end of the file name.Example of these filters:$file = $_GET['file'] . ".pdf" ;How to bypass it to download the passwd file:example.com/download.php?=../../../../../../../etc/passwd%00Regards,Neo
Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding