We’ve moved to

http://websecurity.ro/blog

http://websecurity.ro

// Script Title: eLouai’s Force Download
// Home Script: http://elouai.com/force-download.php
// Vuln Type: Local File Inclusion / LFI
// Discovered by: The_PitBull aNd iNs
// Bug:
$filename = $_GET['file'];
// PoC: http://www.site.com/force-download.php?file=[LFI]
// D0rk: allinurl: force-download।php?file=

So i first looked at the google dork. Seems ok, but i preferred to change it a little bit to:
allinurl:force-download.php.file=

And i started to play around with it.
Started my firefox turned on hackbar view on, took the first result in google (i never do this, but this time i was high a bit) and started to test the site.
I saw that i can include the index.php file like this

http://vulnerabile.site/force-download.php?file=index.php

And i could download the file. Wow! This is nice. What does this actually mean ?
That the file is not included in the script, and the headers were similar to this:

Content-Disposition: attachment; filename=index.php

Hmm, i cannot use log poisoning and including… damn.
I’m looking around though the files and i’m trying to see all the saved passwords and information that could help me.
Interesting files like: config.php, config.inc.php, db.php.
I can see mysql passwords, smtp servers, everything.
I’m getting bored with this site and i go looking for another one.

I finally find an interesting site. I see that the /admin directory exists and automatically redirects me to login.php.
I’m thinking, are they stupid enough to put the password in plain text ? A few seconds and… yes they are.
Hello, i have admin over the whole site. Cool!

No defacement. I don’t like full defacements. Only a few scary clowns pictures added.