[kwlug-disc] Identify this exploit?

Mikalai Birukou mb at 3nsoft.com
Sat Dec 28 10:00:16 EST 2019


I've duckduckgo-ed GET /download.php?file=../.

This shows up 
https://www.tutorialrepublic.com/php-tutorial/php-file-download.php

There is download.php example file in it with

```

|$file = urldecode($_REQUEST["file"]); // Decode URL-encoded string 
$filepath = "images/" . $file; |

```

PHP isn't my language, but nothing here jumps out, saying sanitize path.

How many people can use this example to add a download functionality to 
whatever app/site. StackOverflow style programming?

May be its a good idea to search system for download.php?


On 2019-12-28 1:49 a.m., Paul Nijjar via kwlug-disc wrote:
> In my Apache logs I saw something like this, and my search-engine
> skills are weak:
>
> 133.18.209.124 - - [27/Dec/2019:04:09:39 -0500] "GET /download.php?file=../../../../../../../../../../../../etc/passwd HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
>
> It's pretty obvious what they are trying to do, but I am having
> trouble figuring out what the target is, exactly. Is this an exploit
> in a popular web package I should know about?
>
> - Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20191228/46bf764b/attachment.htm>


More information about the kwlug-disc mailing list