Old School Source Code Disclosure Vulnerability

On May 2nd I started a revaluation of web application for a client. While doing revaluation I found out that they have added some more functions in web app, I started exploring the new features of app every things look fine as they where all static HTML page then suddenly I came across a file "filedownload.php".

Now, my first step was to spider this branch that I did with help of burp suite & the full link was "http://site.com/filedownload.php?file=E:\netpub\vhosts\www\httpdocs/journal/welcome.pdf"

The Path Of Application was disclosed : E:\netpub\vhosts\www\

Then, I simply run the link "http://site.com/filedownload.php?file=" on my browser & I Received a error message from server that :
"ERROR: download file NOT SPECIFIED. USE forcedownload.php?file=filepath"

The moment I saw that error I remember it may be old school GHDB type file download vulnerability so, now I have to check for two type of Vulnerability :
1. LFI - Local File Inclusion
2. Source Code Disclosure

So after doing some Directory Traversal attacks I was sure that LFI was not applicable.

Then I started looking for Web.Config File as the server was working on Windows IIS.
"http://site.com/filedownload.php?file=web.config" the link works but no luck as the file was empty.

Then I, Looked for "index.php" file as many web developers sets there database connection password in "index" file "http://site.com/filedownload.php?file=index.php". Luckily I was able to download the index file but still the password was not present.

But, I get a hint a file name "UserUtils.php" was linked to the "index.php" file.
So, I started searching for "UserUtils.php" in all available paths I knew. After some hard work I located file inside "E:\netpub\vhosts\www\htdocs\UserUtils.php" Full Link :
 & file contains SMTP Server's Administrator Email ID , UserName , Password etc...

 But Sill I was not done, I have to find the Database Credentials so, After reading the whole file I found a New Path which have configuration file "admin/include/config.php" & "admin/include/functions.php"

Now, I tried to download Configuration file "http://site.com/filedownload.php?file=admin/include/config.php"

& Cheers I was able to see the Database Credentials as they were in plaintext.

Similar Type Of Attack Video Tutorial : https://www.youtube.com/watch?v=gjREfF5C4RQ


-Raghav Bisht