We are closing registration and public forum view to Paid & Private in 16 days! CLICK HERE to register FREE.
 
Create an account  

For users privacy, our last domains: CarderHack.com and OmertaHack.net are moved to CardingTeam.ws

Deposit & Withdraw | About Verified Sellers and Escrow | Advertise | Scam Report | Tracking Number Details | ICQ: 717039384

carding forums carding forums
carding forums carding forums
carding forums Paid adv expire in 48 days
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
 
Local File Download Tutorial

#1
Local File Download
members!There are many web applications vulnerable to local file download due to scripts meant to be for downloading specific files, such as PDFs. I will give you a brief explanation about the origin of the vulnerability and how it is exploited. Hope you like it The Vulnerability:The vulnerability allows an attacker to download any file he has read priveleges for on the local server. This is due to the attacker being in control of the parameter specifying the name of the file which is downloaded by the force download script. A basic example of a PHP script is:<?php$file = $_GET['file'];if (file_exists($file)) {header('Content-Description: File Transfer');header('Content-Type: application/octet-stream');header('Content-Disposition: attachment; filename='.basename($file));header('Content-Transfer-Encoding: binary');header('Expires: 0');header('Cache-Control: must-revalidate');header('Pragma: public');header('Content-Length: ' . filesize($file));ob_clean();flush();readfile($file);exit;}?>Exploitation:We just have to specify the value of the 'file' parameter in this example.For example, if we want the passwd file:The downloaded file contains the original contents of the passwd file.If we try the same with the shadow file (which is only readable by root user):These are the contents of the file downloaded:Bypassing Some Filters:Many scripts add a file extension to the file name provided by the user in order to try to specify the type of the files to be downloaded. Most of the times, when null byte is enabled on the server, the filter could be bypassed simply by just injecting a null byte at the end of the file name.Example of these filters:$file = $_GET['file'] . ".pdf" ;How to bypass it to download the passwd file:example.com/download.php?=../../../../../../../etc/passwd%00Regards,Neo
Reply
Paid adv. expire in 31 days
CLICK to buy Advertisement !

    Verified & Trusted WesternUnion / MoneyGram / Bank - Transferring -WorldWide [ MTCN in 3 hours ]




Forum Jump: